Forem: Felix Jumason The latest articles on Forem by Felix Jumason (@blackie360). https://forem.com/blackie360 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1038955%2F196cc349-f1d3-4345-9e9c-545909a329eb.jpeg Forem: Felix Jumason https://forem.com/blackie360 en Building a Secure Home Lab on a Raspberry Pi with Tailscale, Pi-hole, and Nextcloud Felix Jumason Fri, 27 Mar 2026 19:50:40 +0000 https://forem.com/blackie360/building-a-secure-home-lab-on-a-raspberry-pi-with-tailscale-pi-hole-and-nextcloud-124n https://forem.com/blackie360/building-a-secure-home-lab-on-a-raspberry-pi-with-tailscale-pi-hole-and-nextcloud-124n <p>This article is written for anyone giving a talk—or quietly building a lab—about <strong>owning your data</strong>, <strong>reducing noise on the network</strong>, and <strong>reaching your services safely</strong> without turning your router into a public punching bag. We will use a <strong>Raspberry Pi</strong>, <strong>Docker Compose</strong>, <strong>Tailscale</strong> on the host, <strong>Pi-hole</strong> for DNS filtering, and <strong>Nextcloud</strong> for files and lightweight collaboration.</p> <p>The goal is not to replicate a data center. The goal is a <strong>small, understandable system</strong> you can reason about, patch, and back up.</p> <h2> Who this is for and what you get </h2> <p>You might be a developer who wants sync and calendars without a cloud bill, or a curious tinkerer who wants to learn networking and containers on real hardware. Either way, you get:</p> <ul> <li> <strong>Pi-hole</strong>: DNS-based ad blocking and telemetry reduction for your home (and optionally for devices on your tailnet).</li> <li> <strong>Nextcloud</strong>: Self-hosted files, sync, and optional apps (calendar, contacts, and more).</li> <li> <strong>Tailscale</strong>: A mesh VPN so you reach the Pi <strong>without</strong> exposing SSH or web UIs to the whole internet.</li> </ul> <p>Keep Pi-hole and Nextcloud in <strong>separate folders</strong> on the Pi (each with its own <code>docker-compose.yml</code> and <code>.env</code>). Tailscale is <strong>installed on the Raspberry Pi OS host</strong>, not inside those Compose files: the Pi joins your tailnet; Docker runs the services on top.</p> <h2> A light threat model (what you are actually protecting) </h2> <p><strong>Tailscale</strong> encrypts traffic between your devices and authenticates them to your tailnet. It does <strong>not</strong> replace:</p> <ul> <li>Strong passwords for Pi-hole admin, Nextcloud admin, and database users.</li> <li> <strong>Timely updates</strong> to the OS, Docker images, and Nextcloud apps.</li> <li> <strong>Backups</strong> of volumes (you will lose data if the SD card dies with no backup).</li> </ul> <p><strong>Pi-hole</strong> blocks many ads and trackers at DNS resolution. It does <strong>not</strong> replace a full security stack on clients; malware and phishing still exist.</p> <p><strong>Nextcloud</strong> is a rich PHP application with a large surface area. Treat it like any internet-facing app: least privilege, updates, and backups.</p> <p>In short: Tailscale shrinks <strong>who can reach</strong> your Pi; Pi-hole and Nextcloud still need <strong>good hygiene</strong> once someone is on the tailnet.</p> <h2> Hardware and OS choices </h2> <p>Raspberry Pi 4 or 5 with <strong>64-bit Raspberry Pi OS</strong> is a solid baseline. Nextcloud benefits from <strong>RAM</strong> (4 GB or more helps) and <strong>fast storage</strong>: an external SSD over USB 3 is dramatically better than a slow SD card for database I/O and file sync.</p> <p>If you use an SD card, expect more maintenance: monitor wear, keep backups, and avoid large Nextcloud sync jobs that thrash the card all day.</p> <h2> Architecture: how the pieces fit together </h2> <p>Tailscale runs on the Pi host. Docker runs Pi-hole and Nextcloud as separate Compose projects (or on separate Pis if you prefer). Traffic flows from your laptop or phone, through the encrypted mesh, to the Pi, then into the right container.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdw6vb87wfl5z2iext3z8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdw6vb87wfl5z2iext3z8.png" alt="flowchart" width="746" height="335"></a></p> <p><strong>Why Tailscale on the host?</strong> Your Pi’s Tailscale IP and MagicDNS name apply to services bound to the host’s interfaces. You can publish ports from Docker to the host; Tailscale clients then reach <code>100.x.y.z:port</code> or <code>pi-name.tailnet-name.ts.net:port</code> without extra container networking gymnastics. For advanced setups (e.g. container-only routing), Tailscale documents Docker sidecars; for most home labs, <strong>host Tailscale + Docker bridge networking</strong> is enough.</p> <h2> Install Docker Engine and Compose on the Pi </h2> <p>Use the official Docker documentation for <strong>Debian</strong> (Raspberry Pi OS is Debian-based). Install the <strong>Docker Engine</strong> and the <strong>Compose plugin</strong> so you can run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <p>Keep your working directory layout predictable, for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~/homelab/ pihole/ nextcloud/ </code></pre> </div> <p>Each stack has its own <code>docker-compose.yml</code> and a <code>.env</code> file (start from the templates in this article). <strong>Keep <code>.env</code> private</strong>—do not share or publish it.</p> <h2> Step-by-step: from a fresh Pi to both stacks </h2> <p>Follow these in order. The <strong>full Docker files</strong> for copy-paste are in the next two sections.</p> <ol> <li> <strong>Flash and boot</strong> 64-bit Raspberry Pi OS; create a user; run <code>sudo apt update &amp;&amp; sudo apt full-upgrade -y</code>.</li> <li> <strong>Install Docker Engine and the Compose plugin</strong> using <a href="https://docs.docker.com/engine/install/debian/" rel="noopener noreferrer">Docker’s Debian instructions</a> (Raspberry Pi OS is Debian-based). Add your user to the <code>docker</code> group, then sign out and back in so <code>docker</code> works without <code>sudo</code>.</li> <li> <strong>Install Tailscale on the host</strong> (not inside Compose): follow <a href="https://tailscale.com/download/linux" rel="noopener noreferrer">Tailscale’s Linux install</a>, run <code>sudo tailscale up</code>, and complete browser login. Note your <strong>Tailscale IPv4</strong> with <code>tailscale ip -4</code> and your <strong>MagicDNS</strong> hostname if you use it.</li> <li> <strong>Resolve port 53 before Pi-hole</strong>: Pi-hole needs TCP/UDP <strong>53</strong> on the host. If <code>systemd-resolved</code> holds the port, reconfigure or disable the stub listener (see <em>DNS, port 53, and systemd-resolved</em> below). Verify nothing else is bound with <code>ss -lunp | grep ':53'</code> or similar.</li> <li> <strong>Deploy Pi-hole</strong>: create a folder (e.g. <code>mkdir -p ~/homelab/pihole &amp;&amp; cd ~/homelab/pihole</code>), add the <strong>Pi-hole</strong> <code>docker-compose.yml</code> and <code>.env</code> contents from Pi-hole: full Docker files (save the env template as <code>.env</code> and replace placeholders).</li> <li> <strong>Start Pi-hole</strong>: <code>docker compose up -d</code>, then check logs with <code>docker compose logs -f</code> briefly. Open the admin UI at <code>http://&lt;pi-tailscale-ip&gt;:8080/admin</code>.</li> <li> <strong>Deploy Nextcloud</strong>: create a folder (e.g. <code>mkdir -p ~/homelab/nextcloud &amp;&amp; cd ~/homelab/nextcloud</code>), add the <strong>Nextcloud</strong> <code>docker-compose.yml</code> and <code>.env</code> contents from Nextcloud: full Docker files (save the env template as <code>.env</code> and replace placeholders).</li> <li> <strong>Start Nextcloud</strong>: <code>docker compose up -d</code>. Wait until MariaDB and Redis report healthy, then open <code>http://&lt;pi-tailscale-ip&gt;:8081</code> and sign in with the admin user from <code>.env</code> (first boot performs an unattended install when those variables are set).</li> <li> <strong>Fix “untrusted domain” if needed</strong>: add every hostname or IP you use in the browser to <code>NEXTCLOUD_TRUSTED_DOMAINS</code> (space-separated), then <code>docker compose restart app</code> or adjust via <code>occ</code> as documented by Nextcloud.</li> <li> <strong>Restrict Tailscale</strong>: in the <a href="https://login.tailscale.com/admin/acls" rel="noopener noreferrer">Tailscale admin console</a>, tune <strong>ACLs</strong> so only your user or devices can reach SSH, Pi-hole (53, 8080), and Nextcloud (8081).</li> <li> <strong>Set Pi-hole upstream DNS</strong> in the web UI (Settings → DNS) to resolvers you trust; optional DoH/DoT upstreams depend on your Pi-hole version and docs.</li> <li> <strong>Back up</strong> Docker volumes (or export data) before you rely on the lab; test a restore once.</li> </ol> <h2> Screenshots: Pi-hole and Nextcloud over Tailscale </h2> <p>Below is what a working setup looks like in the browser when you use your Pi’s <strong>Tailscale IP</strong> (addresses in the <code>100.64.0.0/10</code> range, shown as <code>100.x.x.x</code>). Plain <strong>HTTP</strong> is fine on a private tailnet for testing; the browser may still label the connection “Not secure” until you add HTTPS (for example <strong>Tailscale Serve</strong> or a reverse proxy with a certificate).</p> <h3> Pi-hole admin dashboard </h3> <p>![Pi-hole admin dashboard: DNS totals, blocked queries, 24-hour charts, and sidebar status — accessed at <a href="http://100.x.x.x:8080/admin" rel="noopener noreferrer">http://100.x.x.x:8080/admin</a> over Tailscale]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkly0wf6jrmdouf2weeka.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkly0wf6jrmdouf2weeka.png" alt="Pi hole" width="800" height="410"></a></p> <p>The Pi-hole UI shows aggregate <strong>queries</strong>, <strong>blocks</strong>, <strong>percentage blocked</strong>, and per-client activity. The sidebar lists <strong>Status</strong>, <strong>Performance</strong>, and <strong>Hostname</strong> (Docker often shows a container ID there instead of the Pi’s host name). Your URL will look like <code>http://&lt;your-pi-tailscale-ip&gt;:8080/admin</code>.</p> <h3> Nextcloud Files </h3> <p>![Nextcloud Files app: All files, folders, and apps bar — accessed at <a href="http://100.x.x.x:8081" rel="noopener noreferrer">http://100.x.x.x:8081</a> over Tailscale]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgf66slc3wfq0rfeu3o4v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgf66slc3wfq0rfeu3o4v.png" alt=" " width="800" height="410"></a></p> <p>Nextcloud is mapped to host port <strong>8081</strong> in this guide (<code>NEXTCLOUD_HTTP_PORT</code>). The <strong>Files</strong> app lists default folders (Documents, Photos, and so on) and the top bar links to other apps (Photos, Talk, Contacts, Calendar). Storage usage appears in the left sidebar.</p> <h2> Pi-hole: full Docker files </h2> <p>Save these as <code>docker-compose.yml</code> and <code>.env</code> in the same directory (e.g. <code>~/homelab/pihole</code>). Copy the env template to <code>.env</code> and replace placeholder values.</p> <h3> <code>docker-compose.yml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Pi-hole on Raspberry Pi (ARM64). Install Tailscale on the host, not in this file.</span> <span class="c1"># Port 53: stop or reconfigure systemd-resolved on the Pi before binding (see README in blog).</span> <span class="c1"># Copy .env.example to .env and set WEBPASSWORD + TZ.</span> <span class="na">services</span><span class="pi">:</span> <span class="na">pihole</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">pihole/pihole:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">pihole</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">pihole</span> <span class="na">platform</span><span class="pi">:</span> <span class="s">linux/arm64</span> <span class="na">ports</span><span class="pi">:</span> <span class="c1"># DNS — requires nothing else listening on 53 on the host (see blog: systemd-resolved)</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">53:53/tcp'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">53:53/udp'</span> <span class="c1"># Web UI — 8080 avoids clashing with other HTTP services on the Pi</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">8080:80/tcp'</span> <span class="c1"># Optional: HTTPS to admin UI (Pi-hole generates cert for its UI when enabled)</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">8443:443/tcp'</span> <span class="na">env_file</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.env</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pihole_etc:/etc/pihole</span> <span class="pi">-</span> <span class="s">pihole_dnsmasq:/etc/dnsmasq.d</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">cap_add</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NET_ADMIN</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pihole_net</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">pihole_etc</span><span class="pi">:</span> <span class="na">pihole_dnsmasq</span><span class="pi">:</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">pihole_net</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <h3> <code>.env</code> (template; copy from this example) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Copy to .env and adjust. Do not commit .env.</span> <span class="c"># Strong password for the Pi-hole web UI</span> <span class="nv">WEBPASSWORD</span><span class="o">=</span>change-me-to-a-long-random-string <span class="c"># IANA timezone, e.g. America/New_York, Europe/London</span> <span class="nv">TZ</span><span class="o">=</span>UTC </code></pre> </div> <h3> Commands </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/homelab/pihole <span class="c"># or your path</span> docker compose up <span class="nt">-d</span> </code></pre> </div> <h2> Pi-hole: DNS filtering without exposing the whole LAN </h2> <h3> What Pi-hole does </h3> <p>Pi-hole answers DNS queries from your network. Blocklists cause ad and tracker domains to resolve to nowhere (or a sinkhole), which cuts noise for every device that uses Pi-hole as its DNS server.</p> <h3> DNS, port 53, and systemd-resolved </h3> <p>Pi-hole needs <strong>TCP and UDP port 53</strong> on the host. On many Debian-based systems, <strong>systemd-resolved</strong> already listens on <code>127.0.0.53:53</code>. You must either:</p> <ul> <li> <strong>Stop or reconfigure</strong> the stub resolver so port 53 is free for Docker to bind, or</li> <li>Use a <strong>different deployment</strong> (for example host networking) with full understanding of the tradeoffs.</li> </ul> <p>This is the most common “it works on my laptop but not on the Pi” issue. Plan for ten minutes of reading your OS docs and verifying with <code>ss -ulnp | grep ':53'</code> or similar.</p> <p>Open <code>http://&lt;pi-tailscale-ip&gt;:8080/admin</code> from a device on your tailnet (after you restrict access with ACLs, described below).</p> <h3> Upstream DNS and privacy </h3> <p>Pi-hole forwards queries it does not block to <strong>upstream resolvers</strong>. You can choose:</p> <ul> <li>Your ISP’s DNS (simple, less privacy from the ISP).</li> <li> <strong>DNS over HTTPS (DoH)</strong> or <strong>DNS over TLS (DoT)</strong> to a provider you trust (better against casual snooping on the path; you still trust the provider).</li> </ul> <p>There is no single “correct” answer; document what you chose and why when you present this to others.</p> <h2> Nextcloud: full Docker files </h2> <p>Save these as <code>docker-compose.yml</code> and <code>.env</code> in the same directory (e.g. <code>~/homelab/nextcloud</code>). The app listens on host port <strong>8081</strong> by default so it does not clash with Pi-hole on <strong>8080</strong>.</p> <h3> <code>docker-compose.yml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Nextcloud + MariaDB + Redis for Raspberry Pi (ARM64). Tailscale runs on the host.</span> <span class="c1"># Web UI on host port 8081 (change if it clashes with Pi-hole or other services).</span> <span class="c1"># Copy .env.example to .env before `docker compose up -d`.</span> <span class="na">services</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mariadb:11</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">nextcloud-db</span> <span class="na">platform</span><span class="pi">:</span> <span class="s">linux/arm64</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">--transaction-isolation=READ-COMMITTED</span> <span class="s">--log-bin=binlog</span> <span class="s">--binlog-format=ROW</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">nextcloud_db_data:/var/lib/mysql</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MYSQL_ROOT_PASSWORD</span><span class="pi">:</span> <span class="s">${MYSQL_ROOT_PASSWORD}</span> <span class="na">MYSQL_PASSWORD</span><span class="pi">:</span> <span class="s">${MYSQL_PASSWORD}</span> <span class="na">MYSQL_DATABASE</span><span class="pi">:</span> <span class="s">${MYSQL_DATABASE}</span> <span class="na">MYSQL_USER</span><span class="pi">:</span> <span class="s">${MYSQL_USER}</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">CMD'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">healthcheck.sh'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">--connect'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">--innodb_initialized'</span><span class="pi">]</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">20s</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">nextcloud-redis</span> <span class="na">platform</span><span class="pi">:</span> <span class="s">linux/arm64</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">CMD'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">redis-cli'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">ping'</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">app</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nextcloud:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">nextcloud</span> <span class="na">platform</span><span class="pi">:</span> <span class="s">linux/arm64</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">${NEXTCLOUD_HTTP_PORT:-8081}:80'</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">nextcloud_app_data:/var/www/html</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MYSQL_HOST</span><span class="pi">:</span> <span class="s">db</span> <span class="na">MYSQL_DATABASE</span><span class="pi">:</span> <span class="s">${MYSQL_DATABASE}</span> <span class="na">MYSQL_USER</span><span class="pi">:</span> <span class="s">${MYSQL_USER}</span> <span class="na">MYSQL_PASSWORD</span><span class="pi">:</span> <span class="s">${MYSQL_PASSWORD}</span> <span class="na">NEXTCLOUD_ADMIN_USER</span><span class="pi">:</span> <span class="s">${NEXTCLOUD_ADMIN_USER}</span> <span class="na">NEXTCLOUD_ADMIN_PASSWORD</span><span class="pi">:</span> <span class="s">${NEXTCLOUD_ADMIN_PASSWORD}</span> <span class="na">REDIS_HOST</span><span class="pi">:</span> <span class="s">redis</span> <span class="c1"># Space-separated list (see Nextcloud docker entrypoint)</span> <span class="na">NEXTCLOUD_TRUSTED_DOMAINS</span><span class="pi">:</span> <span class="s">${NEXTCLOUD_TRUSTED_DOMAINS}</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">nextcloud_db_data</span><span class="pi">:</span> <span class="na">nextcloud_app_data</span><span class="pi">:</span> </code></pre> </div> <h3> <code>.env</code> (template; copy from this example) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Copy to .env and set strong passwords. Do not commit .env.</span> <span class="c"># MariaDB</span> <span class="nv">MYSQL_ROOT_PASSWORD</span><span class="o">=</span>change-me-root <span class="nv">MYSQL_DATABASE</span><span class="o">=</span>nextcloud <span class="nv">MYSQL_USER</span><span class="o">=</span>nextcloud <span class="nv">MYSQL_PASSWORD</span><span class="o">=</span>change-me-db-user <span class="c"># First admin user (required for unattended install on first boot)</span> <span class="nv">NEXTCLOUD_ADMIN_USER</span><span class="o">=</span>admin <span class="nv">NEXTCLOUD_ADMIN_PASSWORD</span><span class="o">=</span>change-me-admin <span class="c"># Space-separated hostnames or IPs allowed in trusted_domains (not commas)</span> <span class="c"># Add your Pi Tailscale MagicDNS name (e.g. pi.tail1234.ts.net) and 100.x.x.x as needed</span> <span class="nv">NEXTCLOUD_TRUSTED_DOMAINS</span><span class="o">=</span><span class="s2">"localhost 127.0.0.1"</span> <span class="c"># Host port mapped to container :80 (default 8081 to avoid clashing with Pi-hole on 8080)</span> <span class="nv">NEXTCLOUD_HTTP_PORT</span><span class="o">=</span>8081 </code></pre> </div> <h3> Commands </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/homelab/nextcloud <span class="c"># or your path</span> docker compose up <span class="nt">-d</span> </code></pre> </div> <h2> Nextcloud: your files on hardware you control </h2> <h3> Stack overview </h3> <p>This stack includes:</p> <ul> <li> <strong>MariaDB</strong> for the application database (with a healthcheck so the app starts after the DB is ready).</li> <li> <strong>Redis</strong> for PHP session storage (recommended for a smoother experience under load).</li> <li> <strong>Nextcloud</strong> itself, with data in a named volume.</li> </ul> <p>The web UI is published on host port <strong>8081</strong> by default (<code>NEXTCLOUD_HTTP_PORT</code> in <code>.env</code>) so it does not collide with Pi-hole’s <strong>8080</strong>.</p> <h3> First-time install and trusted domains </h3> <p>The official Nextcloud image can perform an <strong>unattended install</strong> if you set, before the first start:</p> <ul> <li> <code>MYSQL_*</code> variables pointing at the <code>db</code> service.</li> <li> <code>NEXTCLOUD_ADMIN_USER</code> and <code>NEXTCLOUD_ADMIN_PASSWORD</code>.</li> <li> <code>NEXTCLOUD_TRUSTED_DOMAINS</code> as a <strong>space-separated</strong> list (not comma-separated). The image’s entrypoint loops over each token and runs <code>occ config:system:set trusted_domains</code>.</li> </ul> <p>Add your Pi’s <strong>Tailscale MagicDNS name</strong> and <strong>100.x</strong> address once you know them, for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">NEXTCLOUD_TRUSTED_DOMAINS</span><span class="o">=</span><span class="s2">"localhost 127.0.0.1 mypi.tailabc123.ts.net 100.101.102.103"</span> </code></pre> </div> <h3> HTTPS without opening the router </h3> <p>You have several good patterns:</p> <ul> <li> <strong>Tailscale Serve</strong> can terminate HTTPS for a local service and make it available on your tailnet with a proper certificate story for Tailscale’s model. This avoids port-forwarding on your home router.</li> <li>A <strong>reverse proxy</strong> on the host (Caddy, Traefik, nginx) with Let’s Encrypt is classic when you have a public hostname and ports 80/443 forwarded.</li> </ul> <p>For a talk aimed at “secure home lab,” leading with <strong>Tailscale + Serve</strong> keeps the story tight: <strong>no inbound ports</strong> on the ISP side if you do not want them.</p> <h2> Tailscale: tailnet, MagicDNS, and ACLs </h2> <h3> Join the Pi to your tailnet </h3> <p>Install Tailscale on Raspberry Pi OS using Tailscale’s documented steps, authenticate once, and enable <strong>MagicDNS</strong> if you like human-readable names such as <code>pi.tailnet.ts.net</code>.</p> <h3> Access control lists (ACLs) </h3> <p>By default, <strong>Tailscale’s admin console</strong> lets you write ACLs that describe <strong>which users and devices</strong> can reach <strong>which ports</strong> on which hosts. For a lab Pi, you might:</p> <ul> <li>Allow <strong>only your user</strong> to SSH to the Pi.</li> <li>Allow <strong>only your user</strong> to hit Pi-hole’s web UI and DNS.</li> <li>Allow <strong>only your user</strong> to use Nextcloud.</li> </ul> <p>Example shape (illustrative only; adapt tags and users to your tailnet):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"acls"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"accept"</span><span class="p">,</span><span class="w"> </span><span class="nl">"src"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"group:homelab-admins"</span><span class="p">],</span><span class="w"> </span><span class="nl">"dst"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"tag:pi-hole:53"</span><span class="p">,</span><span class="w"> </span><span class="s2">"tag:pi-hole:8080"</span><span class="p">,</span><span class="w"> </span><span class="s2">"tag:nextcloud:8081"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In practice you will use <strong>auto tags</strong>, <strong>device names</strong>, or <strong>IP addresses</strong> as your org defines. The important idea for your audience: <strong>Tailscale is not “everything can reach everything.”</strong> You still design <strong>least privilege</strong>.</p> <h2> Operational security: updates, backups, and firewall </h2> <h3> Updates </h3> <ul> <li> <strong>Host</strong>: <code>apt</code> upgrades for the OS; reboot when the kernel requires it.</li> <li> <strong>Docker</strong>: <code>docker compose pull</code> and <code>docker compose up -d</code> per stack; read Nextcloud release notes before major jumps.</li> <li> <strong>Nextcloud apps</strong>: update from the Nextcloud UI on a schedule you can sustain.</li> </ul> <h3> Backups </h3> <p>Back up <strong>named volumes</strong> or the host paths behind them. A simple pattern is stopping the stack (brief downtime) and archiving volumes, or using a file-level backup tool that understands Docker. <strong>Test restores</strong> on a spare SD card or another Pi before you rely on backups.</p> <h3> Host firewall </h3> <p>If you only ever access services over Tailscale, you can use <strong>ufw</strong> or <strong>nftables</strong> on the Pi to <strong>drop</strong> inbound traffic on LAN and WAN interfaces while allowing Tailscale’s interface. If you also serve LAN clients without Tailscale, your rules differ. Document the two modes so you do not lock yourself out.</p> <h2> Common pitfalls (talk fodder) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symptom</th> <th>Likely cause</th> </tr> </thead> <tbody> <tr> <td>Pi-hole fails to bind port 53</td> <td> <code>systemd-resolved</code> or another DNS listener still on 53</td> </tr> <tr> <td>Nextcloud “untrusted domain”</td> <td>Missing entry in <code>NEXTCLOUD_TRUSTED_DOMAINS</code> for the hostname you type in the browser</td> </tr> <tr> <td>Nextcloud install loops or fails</td> <td>DB not ready; the Compose file uses <code>depends_on</code> with healthchecks to mitigate</td> </tr> <tr> <td>Slow Nextcloud on Pi</td> <td>SD card bottleneck; move data and DB to SSD; add RAM</td> </tr> <tr> <td>Locked out after enabling firewall</td> <td>SSH allowed only on wrong interface; keep a physical console or time-limited rule</td> </tr> </tbody> </table></div> <h2> Before you go live: checklist </h2> <ul> <li>[ ] <code>.env</code> files created from <code>.env.example</code> with <strong>long random</strong> passwords.</li> <li>[ ] Tailscale ACLs reviewed: only <strong>you</strong> (or your admin group) reach admin UIs and sensitive ports.</li> <li>[ ] <code>NEXTCLOUD_TRUSTED_DOMAINS</code> includes every hostname and Tailscale IP you will use.</li> <li>[ ] Backup plan exists and a <strong>restore</strong> has been tested once.</li> <li>[ ] Pi-hole upstream DNS choice documented (privacy and reliability tradeoffs understood).</li> <li>[ ] Router port-forwarding <strong>intentionally</strong> on or off; if off, Tailscale-only access is the primary path.</li> </ul> <h2> Closing </h2> <p>A Raspberry Pi home lab with <strong>Tailscale</strong>, <strong>Pi-hole</strong>, and <strong>Nextcloud</strong> is a practical way to learn <strong>real networking</strong>, <strong>container operations</strong>, and <strong>defense in depth</strong> without a rack full of gear. Keep the architecture boring: Tailscale on the host, Compose for services, strong secrets in <code>.env</code>, ACLs on the tailnet, and backups you have actually restored. That combination is easy to explain on stage and solid enough to live with at home.</p> <h2> References (official docs) </h2> <ul> <li><a href="https://tailscale.com/kb/" rel="noopener noreferrer">Tailscale</a></li> <li><a href="https://docs.pi-hole.net/docker/" rel="noopener noreferrer">Pi-hole Docker</a></li> <li><a href="https://github.com/nextcloud/docker" rel="noopener noreferrer">Nextcloud Docker</a></li> <li><a href="https://docs.docker.com/compose/" rel="noopener noreferrer">Docker Compose</a></li> </ul> Building an AI-Powered Community Assistant with Google Cloud Platform,Vercel AI SDK, and Calendar API Felix Jumason Sun, 09 Nov 2025 11:42:07 +0000 https://forem.com/blackie360/building-an-ai-powered-community-assistant-with-google-cloud-platform-ai-sdk-and-calendar-api-3opb https://forem.com/blackie360/building-an-ai-powered-community-assistant-with-google-cloud-platform-ai-sdk-and-calendar-api-3opb <p><em>How I integrated Google Gemini AI SDK and Google Calendar API to create CommunitySync—a conversational community management assistant</em></p> <h2> The Problem That Started It All </h2> <p>As someone deeply involved in community management, I've experienced firsthand the overwhelming burden of juggling multiple tools, spreadsheets, and platforms just to keep a community running smoothly. The constant context-switching between Google Calendar, Slack, spreadsheets, and various management tools wasn't just inefficient—it was exhausting.</p> <p><strong>The reality:</strong></p> <ul> <li>Community managers spend 10+ hours per week on repetitive administrative tasks</li> <li>Critical events get missed because they're buried in spreadsheets</li> <li>Team coordination becomes a nightmare when information is scattered across platforms</li> <li>The focus shifts from building relationships to managing tools</li> </ul> <p>I knew there had to be a better way—and Google Cloud Platform provided the perfect solution.</p> <h2> Introducing CommunitySync: Powered by GCP </h2> <p><strong>CommunitySync</strong> is an AI-powered community management assistant built on <strong>Google Cloud Platform</strong>, leveraging the <strong>Google Gemini AI SDK</strong> and <strong>Google Calendar API</strong> to create a seamless, conversational experience.</p> <p>Through natural conversation powered by Google's Gemini 2.5 Pro model, it helps community managers:</p> <ul> <li> <strong>Manage Events Seamlessly</strong>: Schedule, modify, and track community events using natural language—powered by Google Calendar API</li> <li> <strong>Calendar Integration</strong>: Full Google Calendar sync—view, create, and manage events directly from chat with real-time synchronization</li> <li> <strong>Proactive AI Assistance</strong>: Google Gemini AI anticipates needs and takes action, like automatically checking your calendar when you mention scheduling</li> <li> <strong>Context-Aware Conversations</strong>: Remembers your community's needs and preferences across conversations</li> </ul> <p>Simply chat naturally: <em>"Show me my upcoming events"</em> or <em>"Schedule a community meetup next Friday at 6 PM"</em> and CommunitySync handles the rest—all powered by Google Cloud Platform.</p> <h2> The Architecture: GCP at the Core </h2> <p>CommunitySync is built on a modern architecture with <strong>Google Cloud Platform</strong> services at its heart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ Next.js 15 App Router │ │ (React Server Components + Actions) │ └─────────────────────────────────────────┘ │ ┌───────────┴───────────┐ │ │ ┌───────▼────────┐ ┌────────▼────────┐ │ Google Gemini │ │ Google Calendar│ │ AI SDK 2.5 │ │ API (GCP) │ └───────┬────────┘ └────────┬────────┘ │ │ │ Google Cloud OAuth │ │ Token Management │ └───────────┬───────────┘ │ ┌───────────▼───────────┐ │ PostgreSQL (Neon) │ │ + Drizzle ORM │ └───────────────────────┘ </code></pre> </div> <h3> Google Cloud Platform Services Used </h3> <ul> <li> <strong>Google Gemini AI SDK</strong>: Powers the conversational AI assistant with advanced tool-calling capabilities</li> <li> <strong>Google Calendar API</strong>: Enables full calendar management through OAuth 2.0 integration</li> <li> <strong>Google Cloud Console</strong>: Manages OAuth credentials, API keys, and service configuration</li> <li> <strong>Google OAuth 2.0</strong>: Secure authentication and authorization flow</li> </ul> <h3> Tech Stack Highlights </h3> <ul> <li> <strong>AI</strong>: Google Gemini 2.5 Pro via Vercel AI SDK (Google AI SDK integration)</li> <li> <strong>Calendar</strong>: Google Calendar API v3 with OAuth 2.0</li> <li> <strong>Framework</strong>: Next.js 15 with App Router and Turbo mode</li> <li> <strong>Database</strong>: Vercel Postgres (Neon) with Drizzle ORM</li> <li> <strong>UI</strong>: React 19, shadcn/ui, and Tailwind CSS</li> <li> <strong>Authentication</strong>: NextAuth.js with Google OAuth</li> </ul> <h2> Integrating Google Calendar API: The Deep Dive </h2> <p>The most complex and powerful part of CommunitySync is the <strong>Google Calendar API integration</strong>. Here's how it works:</p> <h3> Setting Up Google Cloud Platform </h3> <p>Before writing any code, you need to configure your GCP project:</p> <ol> <li> <p><strong>Create a Google Cloud Project</strong></p> <ul> <li>Navigate to <a href="https://console.cloud.google.com/" rel="noopener noreferrer">Google Cloud Console</a> </li> <li>Create a new project or select an existing one</li> </ul> </li> <li> <p><strong>Enable Google Calendar API</strong></p> <ul> <li>Go to APIs &amp; Services → Library</li> <li>Search for "Google Calendar API"</li> <li>Click "Enable"</li> </ul> </li> <li> <p><strong>Configure OAuth 2.0 Credentials</strong></p> <ul> <li>Navigate to APIs &amp; Services → Credentials</li> <li>Create OAuth client ID (Web application)</li> <li>Add authorized redirect URIs: <ul> <li> <code>http://localhost:3000/api/auth/callback/google</code> (development)</li> <li> <code>https://yourdomain.com/api/auth/callback/google</code> (production)</li> </ul> </li> </ul> </li> <li> <p><strong>Set Up OAuth Consent Screen</strong></p> <ul> <li>Configure scopes: <code>openid email profile https://www.googleapis.com/auth/calendar</code> </li> <li>Add test users (for development)</li> </ul> </li> <li> <p><strong>Get Google Generative AI API Key</strong></p> <ul> <li>Go to <a href="https://makersuite.google.com/app/apikey" rel="noopener noreferrer">Google AI Studio</a> </li> <li>Create an API key for Gemini</li> </ul> </li> </ol> <h3> OAuth 2.0 Flow Implementation </h3> <p>The integration uses Google's OAuth 2.0 flow to securely access user calendars:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// OAuth 2.0 Client Setup</span> <span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_REDIRECT_URI</span> <span class="p">);</span> <span class="c1">// Set credentials with refresh token</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">setCredentials</span><span class="p">({</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">userRefreshToken</span> <span class="p">});</span> <span class="c1">// Create Calendar API client</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="nx">google</span><span class="p">.</span><span class="nf">calendar</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">v3</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="nx">oauth2Client</span> <span class="p">});</span> </code></pre> </div> <h3> Google Calendar API Tools </h3> <p>The AI assistant has access to five powerful calendar tools powered by the Google Calendar API:</p> <h4> 1. List Events (<code>listEvents</code>) </h4> <p>Fetches calendar events with filtering and pagination:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">listEvents</span><span class="p">({</span> <span class="nx">calendarId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="p">,</span> <span class="nx">timeMin</span><span class="p">,</span> <span class="nx">timeMax</span><span class="p">,</span> <span class="nx">maxResults</span> <span class="o">=</span> <span class="mi">10</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">calendarId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">timeMin</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">timeMax</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">maxResults</span><span class="p">?:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getCalendarClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">list</span><span class="p">({</span> <span class="nx">calendarId</span><span class="p">,</span> <span class="na">timeMin</span><span class="p">:</span> <span class="nx">timeMin</span> <span class="p">?</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">timeMin</span><span class="p">).</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="na">timeMax</span><span class="p">:</span> <span class="nx">timeMax</span> <span class="p">?</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">timeMax</span><span class="p">).</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="nx">maxResults</span><span class="p">,</span> <span class="na">singleEvents</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">orderBy</span><span class="p">:</span> <span class="dl">"</span><span class="s2">startTime</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">events</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">items</span> <span class="o">||</span> <span class="p">[],</span> <span class="na">count</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">items</span><span class="p">?.</span><span class="nx">length</span> <span class="o">||</span> <span class="mi">0</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h4> 2. Create Event (<code>createEvent</code>) </h4> <p>Creates new calendar events with full details:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">createEvent</span><span class="p">({</span> <span class="nx">calendarId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="p">,</span> <span class="nx">summary</span><span class="p">,</span> <span class="nx">description</span><span class="p">,</span> <span class="nx">start</span><span class="p">,</span> <span class="nx">end</span><span class="p">,</span> <span class="nx">location</span><span class="p">,</span> <span class="nx">attendees</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">calendarId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">summary</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">start</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">end</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">location</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">attendees</span><span class="p">?:</span> <span class="kr">string</span><span class="p">[];</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getCalendarClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">event</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">summary</span><span class="p">,</span> <span class="nx">description</span><span class="p">,</span> <span class="nx">location</span><span class="p">,</span> <span class="na">start</span><span class="p">:</span> <span class="p">{</span> <span class="na">dateTime</span><span class="p">:</span> <span class="nx">start</span><span class="p">,</span> <span class="na">timeZone</span><span class="p">:</span> <span class="dl">"</span><span class="s2">UTC</span><span class="dl">"</span> <span class="p">},</span> <span class="na">end</span><span class="p">:</span> <span class="p">{</span> <span class="na">dateTime</span><span class="p">:</span> <span class="nx">end</span><span class="p">,</span> <span class="na">timeZone</span><span class="p">:</span> <span class="dl">"</span><span class="s2">UTC</span><span class="dl">"</span> <span class="p">},</span> <span class="na">attendees</span><span class="p">:</span> <span class="nx">attendees</span><span class="p">?.</span><span class="nf">map</span><span class="p">(</span><span class="nx">email</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="nx">email</span> <span class="p">})),</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="nx">calendarId</span><span class="p">,</span> <span class="na">requestBody</span><span class="p">:</span> <span class="nx">event</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h4> 3. Update Event (<code>updateEvent</code>) </h4> <p>Updates existing calendar events:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">updateEvent</span><span class="p">({</span> <span class="nx">calendarId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="p">,</span> <span class="nx">eventId</span><span class="p">,</span> <span class="nx">summary</span><span class="p">,</span> <span class="nx">description</span><span class="p">,</span> <span class="nx">start</span><span class="p">,</span> <span class="nx">end</span><span class="p">,</span> <span class="nx">location</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">calendarId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">eventId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">summary</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">start</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">end</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">location</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getCalendarClient</span><span class="p">();</span> <span class="c1">// First, get the existing event</span> <span class="kd">const</span> <span class="nx">existingEvent</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">get</span><span class="p">({</span> <span class="nx">calendarId</span><span class="p">,</span> <span class="nx">eventId</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Update with new values</span> <span class="kd">const</span> <span class="nx">updatedEvent</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">existingEvent</span><span class="p">.</span><span class="nx">data</span><span class="p">,</span> <span class="na">summary</span><span class="p">:</span> <span class="nx">summary</span> <span class="o">||</span> <span class="nx">existingEvent</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">summary</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="nx">description</span> <span class="o">||</span> <span class="nx">existingEvent</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">description</span><span class="p">,</span> <span class="na">location</span><span class="p">:</span> <span class="nx">location</span> <span class="o">||</span> <span class="nx">existingEvent</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">location</span><span class="p">,</span> <span class="na">start</span><span class="p">:</span> <span class="nx">start</span> <span class="p">?</span> <span class="p">{</span> <span class="na">dateTime</span><span class="p">:</span> <span class="nx">start</span><span class="p">,</span> <span class="na">timeZone</span><span class="p">:</span> <span class="dl">"</span><span class="s2">UTC</span><span class="dl">"</span> <span class="p">}</span> <span class="p">:</span> <span class="nx">existingEvent</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">start</span><span class="p">,</span> <span class="na">end</span><span class="p">:</span> <span class="nx">end</span> <span class="p">?</span> <span class="p">{</span> <span class="na">dateTime</span><span class="p">:</span> <span class="nx">end</span><span class="p">,</span> <span class="na">timeZone</span><span class="p">:</span> <span class="dl">"</span><span class="s2">UTC</span><span class="dl">"</span> <span class="p">}</span> <span class="p">:</span> <span class="nx">existingEvent</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">end</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="nx">calendarId</span><span class="p">,</span> <span class="nx">eventId</span><span class="p">,</span> <span class="na">requestBody</span><span class="p">:</span> <span class="nx">updatedEvent</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h4> 4. Delete Event (<code>deleteEvent</code>) </h4> <p>Removes events from the calendar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">deleteEvent</span><span class="p">({</span> <span class="nx">calendarId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="p">,</span> <span class="nx">eventId</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">calendarId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">eventId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getCalendarClient</span><span class="p">();</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="nx">calendarId</span><span class="p">,</span> <span class="nx">eventId</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h4> 5. Check Availability (<code>checkAvailability</code>) </h4> <p>Checks for scheduling conflicts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">checkAvailability</span><span class="p">({</span> <span class="nx">calendarId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="p">,</span> <span class="nx">timeMin</span><span class="p">,</span> <span class="nx">timeMax</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">calendarId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">timeMin</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">timeMax</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getCalendarClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">freebusy</span><span class="p">.</span><span class="nf">query</span><span class="p">({</span> <span class="na">requestBody</span><span class="p">:</span> <span class="p">{</span> <span class="na">timeMin</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">timeMin</span><span class="p">).</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="na">timeMax</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">timeMax</span><span class="p">).</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="na">items</span><span class="p">:</span> <span class="p">[{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">calendarId</span> <span class="p">}],</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">busy</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">calendars</span><span class="p">?.[</span><span class="nx">calendarId</span><span class="p">]?.</span><span class="nx">busy</span> <span class="o">||</span> <span class="p">[];</span> <span class="k">return</span> <span class="p">{</span> <span class="na">available</span><span class="p">:</span> <span class="nx">busy</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">,</span> <span class="na">busyPeriods</span><span class="p">:</span> <span class="nx">busy</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> Token Management with GCP </h3> <p>Secure token storage and refresh is critical for a production app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Store refresh token securely in database</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">saveGoogleRefreshToken</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">refreshToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">getDb</span><span class="p">();</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="na">googleRefreshToken</span><span class="p">:</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">isCalendarConnected</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">userId</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// Retrieve and use refresh token</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getCalendarClient</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">userToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getGoogleRefreshToken</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_REDIRECT_URI</span> <span class="p">);</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">setCredentials</span><span class="p">({</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">userToken</span> <span class="p">});</span> <span class="c1">// Automatically refreshes access token when needed</span> <span class="k">return</span> <span class="nx">google</span><span class="p">.</span><span class="nf">calendar</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">v3</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="nx">oauth2Client</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> Google Gemini AI SDK Integration </h2> <p>The <strong>Google Gemini AI SDK</strong> powers the conversational intelligence of CommunitySync. Here's how it's integrated:</p> <h3> Setting Up Google Gemini </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ai/index.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@ai-sdk/google</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">geminiProModel</span> <span class="o">=</span> <span class="nf">google</span><span class="p">(</span><span class="dl">"</span><span class="s2">gemini-2.0-flash-exp</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Or use Gemini Pro</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">geminiProModel</span> <span class="o">=</span> <span class="nf">google</span><span class="p">(</span><span class="dl">"</span><span class="s2">gemini-1.5-pro</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <h3> Connecting Gemini to Calendar Tools </h3> <p>The AI SDK's <code>streamText</code> API connects Gemini to the Google Calendar API tools:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">streamText</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">ai</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">geminiProModel</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/ai</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">googleCalendarTools</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@/lib/tools/google-calendar</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">streamText</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="nx">geminiProModel</span><span class="p">,</span> <span class="na">system</span><span class="p">:</span> <span class="s2">`You are an AI Community Management Assistant. You have direct access to the user's Google Calendar through the available tools. When users ask about their calendar, IMMEDIATELY use the listEvents tool. Use "primary" as the default calendarId unless specified otherwise.`</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="nx">modelMessages</span><span class="p">,</span> <span class="na">tools</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">googleCalendarTools</span><span class="p">,</span> <span class="c1">// All 5 Calendar API tools</span> <span class="na">getWeather</span><span class="p">:</span> <span class="p">{</span> <span class="cm">/* ... */</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h3> Tool Calling with Gemini </h3> <p>Gemini excels at tool calling—it automatically selects the right Google Calendar API tool based on user intent:</p> <ul> <li>User: <em>"Show me my calendar"</em> → Calls <code>listEvents</code> </li> <li>User: <em>"Schedule a meeting tomorrow"</em> → Calls <code>createEvent</code> </li> <li>User: <em>"Am I free Friday?"</em> → Calls <code>checkAvailability</code> </li> </ul> <p>The AI SDK handles the tool execution and returns results seamlessly.</p> <h2> Key Features Powered by GCP </h2> <h3> 1. Natural Language Calendar Management </h3> <p>Powered by <strong>Google Gemini AI SDK</strong> and <strong>Google Calendar API</strong>, users can manage their entire calendar through conversation:</p> <ul> <li> <strong>View events</strong>: <em>"Show me my calendar for next week"</em> </li> <li> <strong>Create events</strong>: <em>"Schedule a team standup tomorrow at 10 AM"</em> </li> <li> <strong>Update events</strong>: <em>"Move the meeting to 2 PM"</em> </li> <li> <strong>Check availability</strong>: <em>"Am I free next Friday afternoon?"</em> </li> </ul> <h3> 2. Real-Time Synchronization </h3> <p>Events created through the AI assistant are immediately synchronized with Google Calendar via the Calendar API. Changes are reflected in real-time across all devices.</p> <h3> 3. Secure OAuth Integration </h3> <p>Google OAuth 2.0 ensures secure access to user calendars. Refresh tokens are stored securely, and access tokens are automatically refreshed when needed.</p> <h3> 4. Proactive AI Assistance </h3> <p>Google Gemini AI anticipates needs and takes action automatically. When you mention scheduling, it checks your calendar for conflicts using the Calendar API.</p> <h2> Challenges and Solutions with GCP Integration </h2> <h3> Challenge 1: OAuth Token Management </h3> <p><strong>Problem</strong>: Managing Google OAuth refresh tokens securely while ensuring they don't expire unexpectedly.</p> <p><strong>Solution</strong>: </p> <ul> <li>Secure token storage in PostgreSQL database</li> <li>Automatic token refresh using Google's OAuth 2.0 client library</li> <li>Connection status tracking in the database</li> <li>User-friendly re-authentication flow</li> </ul> <h3> Challenge 2: Google Calendar API Rate Limits </h3> <p><strong>Problem</strong>: Google Calendar API has rate limits that could cause failures.</p> <p><strong>Solution</strong>: </p> <ul> <li>Implemented proper error handling for rate limit responses</li> <li>Added retry logic with exponential backoff</li> <li>Cached frequently accessed calendar data</li> <li>User-friendly error messages when limits are reached</li> </ul> <h3> Challenge 3: AI Tool Selection with Gemini </h3> <p><strong>Problem</strong>: Getting Gemini to automatically use the right Calendar API tool without asking unnecessary questions.</p> <p><strong>Solution</strong>: </p> <ul> <li>Refined system prompts with explicit instructions about Google Calendar API</li> <li>Updated tool descriptions to guide Gemini's behavior</li> <li>Added default values (like "primary" calendarId) to tool schemas</li> <li>Implemented proactive tool calling patterns</li> </ul> <p><strong>Key Learning</strong>: Google Gemini's tool-calling capabilities are excellent, but prompt engineering is critical for optimal behavior.</p> <h3> Challenge 4: Real-Time Calendar Synchronization </h3> <p><strong>Problem</strong>: Calendar events created through the AI weren't immediately visible in the calendar panel.</p> <p><strong>Solution</strong>: </p> <ul> <li>Implemented SWR for data fetching with automatic revalidation</li> <li>Added real-time cache invalidation after Calendar API operations</li> <li>Created optimistic updates for instant feedback</li> <li>Built refresh mechanisms using Google Calendar API webhooks (future enhancement)</li> </ul> <h2> GCP Best Practices Implemented </h2> <h3> 1. Secure Credential Management </h3> <ul> <li>OAuth credentials stored as environment variables</li> <li>Refresh tokens encrypted in the database</li> <li>Never expose API keys in client-side code</li> <li>Use Google Cloud Secret Manager for production (recommended)</li> </ul> <h3> 2. Efficient API Usage </h3> <ul> <li>Batch requests when possible</li> <li>Cache calendar data appropriately</li> <li>Handle rate limits gracefully</li> <li>Use appropriate scopes (only request what you need)</li> </ul> <h3> 3. Error Handling </h3> <ul> <li>Comprehensive error handling for all Google Calendar API calls</li> <li>User-friendly error messages</li> <li>Graceful degradation when APIs are unavailable</li> <li>Proper logging for debugging</li> </ul> <h3> 4. Token Refresh Strategy </h3> <ul> <li>Automatic token refresh using Google's OAuth client</li> <li>Store refresh tokens securely</li> <li>Handle token expiration gracefully</li> <li>Provide clear feedback when re-authentication is needed</li> </ul> <h2> What Makes This GCP Integration Special </h2> <h3> 1. Seamless Google Services Integration </h3> <p>Combining <strong>Google Gemini AI SDK</strong> and <strong>Google Calendar API</strong> creates a powerful, integrated experience. The AI understands calendar context and can take actions automatically.</p> <h3> 2. Production-Ready OAuth Implementation </h3> <p>Secure OAuth 2.0 flow with proper token management ensures users' data is protected while providing a smooth experience.</p> <h3> 3. Type-Safe API Integration </h3> <p>Using TypeScript with Zod schemas ensures type safety for all Google Calendar API interactions, catching errors at compile-time.</p> <h3> 4. Scalable Architecture </h3> <p>The architecture is designed to scale with Google Cloud Platform services, handling multiple users and high API request volumes.</p> <h2> Lessons Learned from GCP Integration </h2> <h3> 1. Google Calendar API is Powerful but Complex </h3> <p>The Calendar API provides extensive functionality, but proper setup and understanding of OAuth flows is essential. Take time to understand the authentication model.</p> <h3> 2. Gemini AI SDK Tool Calling is Excellent </h3> <p>Google Gemini excels at tool calling when properly configured. Well-crafted prompts and tool descriptions dramatically improve AI behavior.</p> <h3> 3. OAuth Token Management is Critical </h3> <p>Proper token storage, refresh, and error handling are essential for a production app. Google's OAuth client libraries handle much of this, but you still need to manage refresh tokens securely.</p> <h3> 4. Rate Limits Matter </h3> <p>Google Calendar API has rate limits. Implement proper error handling, caching, and retry logic to handle these gracefully.</p> <h3> 5. User Experience Over Features </h3> <p>A few well-executed Google Calendar API features beat many incomplete ones. Focus on making the core calendar management seamless and reliable.</p> <h2> Getting Started with GCP Integration </h2> <p>Want to build something similar? Here's how to get started:</p> <h3> 1. Set Up Google Cloud Project </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable Google Calendar API</span> gcloud services <span class="nb">enable </span>calendar-json.googleapis.com <span class="c"># Or use the Google Cloud Console</span> <span class="c"># APIs &amp; Services → Library → Google Calendar API → Enable</span> </code></pre> </div> <h3> 2. Configure OAuth Credentials </h3> <ol> <li>Go to <a href="https://console.cloud.google.com/" rel="noopener noreferrer">Google Cloud Console</a> </li> <li>APIs &amp; Services → Credentials</li> <li>Create OAuth client ID (Web application)</li> <li>Add authorized redirect URIs</li> </ol> <h3> 3. Install Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm add googleapis @ai-sdk/google ai </code></pre> </div> <h3> 4. Set Up Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GOOGLE_CLIENT_ID=your_client_id GOOGLE_CLIENT_SECRET=your_client_secret GOOGLE_REDIRECT_URI=http://localhost:3000/api/auth/callback/google GOOGLE_GENERATIVE_AI_API_KEY=your_gemini_api_key </code></pre> </div> <h3> 5. Initialize Google APIs </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">googleapis</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_REDIRECT_URI</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="nx">google</span><span class="p">.</span><span class="nf">calendar</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">v3</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="nx">oauth2Client</span> <span class="p">});</span> </code></pre> </div> <h2> What's Next: Expanding GCP Integration </h2> <p>Future enhancements leveraging Google Cloud Platform:</p> <p><strong>Google Workspace Integration</strong>: Gmail, Google Drive, and Google Meet integration</p> <p><strong>Google Cloud Functions</strong>: Serverless functions for background calendar processing</p> <p><strong>Google Cloud Pub/Sub</strong>: Real-time calendar event notifications</p> <p><strong>Google Cloud Storage</strong>: Enhanced file storage for community assets</p> <p><strong>Google Analytics Integration</strong>: Track community engagement metrics</p> <p><strong>Multi-Calendar Support</strong>: Manage multiple Google Calendars simultaneously</p> <h2> Conclusion </h2> <p>Building CommunitySync with <strong>Google Cloud Platform</strong>, <strong>Google Gemini AI SDK</strong>, and <strong>Google Calendar API</strong> has been an incredible learning experience. The integration of these powerful Google services creates a seamless, intelligent assistant that transforms how communities are managed.</p> <p>The combination of Google's AI capabilities with their Calendar API provides a foundation for building powerful, conversational applications that understand context and take action automatically.</p> <p><strong>The future of community management is conversational, intelligent, and powered by Google Cloud Platform.</strong></p> <p><em>Built with Google Cloud Platform, Google Gemini AI SDK, Google Calendar API, Next.js 15, and React 19.</em></p> <p><strong>Want to learn more?</strong> </p> <ul> <li><a href="https://developers.google.com/calendar/api" rel="noopener noreferrer">Google Calendar API Documentation</a></li> <li><a href="https://ai.google.dev/" rel="noopener noreferrer">Google Gemini AI SDK</a></li> <li><a href="https://cloud.google.com/" rel="noopener noreferrer">Google Cloud Platform</a></li> <li><a href="https://github.com/Blackie360/agents_aisdk" rel="noopener noreferrer">Check out the GitHub repository</a></li> </ul> gcp calendarapi aisdk vercel Building a Cloud-Native Booking System with GCP OAuth, Calendar & Meet APIs Felix Jumason Thu, 30 Oct 2025 14:51:01 +0000 https://forem.com/blackie360/building-a-cloud-native-booking-system-with-gcp-oauth-calendar-meet-apis-23dp https://forem.com/blackie360/building-a-cloud-native-booking-system-with-gcp-oauth-calendar-meet-apis-23dp <p>Prepared by <strong>Felix Jumason</strong> for the session “Building a Cloud-Native Booking System with GCP OAuth, Calendar &amp; Meet APIs” at <a href="https://gdg.community.dev/events/details/google-gdg-nairobi-presents-devfest-nairobi-day-one-hands-on-workshops-amp-codelabs/" rel="noopener noreferrer">DevFest Nairobi 2025</a>.</p> <blockquote> <p>Project repository: <a href="https://github.com/Blackie360/mischief-meet" rel="noopener noreferrer">mischief-meet on GitHub</a></p> </blockquote> <h3> Session Overview </h3> <ul> <li>Why Google Cloud (GCP) services are central to modern scheduling workflows</li> <li>How OAuth, Google Calendar, and Meet APIs orchestrate booking automation</li> <li>Practical implementation using Next.js 14, Clerk, Prisma, and shadcn/ui</li> <li>Demo script and troubleshooting tips for live workshops</li> </ul> <h3> Prerequisites </h3> <ul> <li>Google Cloud project with billing enabled</li> <li>Clerk application configured for your domain</li> <li>PostgreSQL instance (local or managed) for Prisma</li> <li>Environment variables in <code>.env</code> for database, Clerk, SMTP, and <code>NEXT_PUBLIC_APP_URL</code> </li> <li>Local tooling: Node.js ≥18, <code>pnpm</code>, <code>gcloud</code> CLI (optional for verification)</li> </ul> <h3> 1. Prepare the Google Cloud Project </h3> <ul> <li> <strong>Create/Select Project:</strong> In Google Cloud Console select a dedicated project for the booking system.</li> <li> <strong>Enable APIs:</strong> Navigate to “APIs &amp; Services → Library” and enable the <strong>Google Calendar API</strong> (Meet conferences ride on Calendar events).</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtixpzv2xb8z8p0cowyt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtixpzv2xb8z8p0cowyt.png" alt=" " width="800" height="225"></a></p> <ul> <li> <strong>Set Up Service Access:</strong> Confirm the project has an OAuth consent screen (required even for testing) and billing is active to avoid quota issues during the live demo.</li> </ul> <h3> 2. Configure the OAuth Consent Screen </h3> <ul> <li> <strong>User Type:</strong> Choose <strong>External</strong> so any attendee can authorize during the demo.</li> <li> <strong>App Information:</strong> Add app name, support email, and logo (optional but recommended for trust during live sessions).</li> <li> <strong>Scopes:</strong> Add the following scopes: <code>openid</code>, <code>email</code>, <code>profile</code>, and <code>https://www.googleapis.com/auth/calendar.events</code>.</li> <li> <strong>Test Users:</strong> While in test mode, whitelist your demo accounts; complete verification later for production.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fusha9eek5nmi17bqykdy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fusha9eek5nmi17bqykdy.png" alt=" " width="702" height="427"></a></p> <h3> 3. Create OAuth Client Credentials </h3> <ul> <li>Go to “APIs &amp; Services → Credentials → Create Credentials → OAuth client ID”.</li> <li>Choose <strong>Web application</strong> and add redirect URIs provided by Clerk, e.g. <code>https://&lt;your-clerk-subdomain&gt;.clerk.accounts.dev/v1/oauth_callback</code> for development and your production domain callback when ready.</li> <li>Store the Client ID and Client Secret securely; you will paste them into Clerk.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff4k5brti2m8xznxtbxsc.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff4k5brti2m8xznxtbxsc.jpg" alt=" " width="635" height="866"></a></p> <h3> 4. Connect GCP OAuth to Clerk </h3> <ul> <li>In the Clerk dashboard open <strong>User &amp; Authentication → Social Connections → Google</strong>.</li> <li>Paste the Google Client ID and Client Secret. Add the extra scope <code>calendar.events</code> to ensure the returned access token authorizes Calendar operations.</li> <li>Deploy the configuration and log in as a host user to connect a Google account inside the Mischief Meet UI.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn98dbkdwskd4d77hql2f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn98dbkdwskd4d77hql2f.png" alt=" " width="434" height="369"></a></p> <h3> 5. Create Calendar Events with Meet Links </h3> <p>Clerk stores Google access tokens per user. Our server action retrieves the host’s token, exchanges it for a Calendar client, and issues the event insert request with Meet conferencing enabled.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">();</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">setCredentials</span><span class="p">({</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">token</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="nx">google</span><span class="p">.</span><span class="nf">calendar</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">v3</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="nx">oauth2Client</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">meetResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="na">calendarId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="p">,</span> <span class="na">conferenceDataVersion</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">requestBody</span><span class="p">:</span> <span class="p">{</span> <span class="na">summary</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="nx">validatedData</span><span class="p">.</span><span class="nx">additionalInfo</span><span class="p">,</span> <span class="na">start</span><span class="p">:</span> <span class="p">{</span> <span class="na">dateTime</span><span class="p">:</span> <span class="nx">validatedData</span><span class="p">.</span><span class="nx">startTime</span> <span class="p">},</span> <span class="na">end</span><span class="p">:</span> <span class="p">{</span> <span class="na">dateTime</span><span class="p">:</span> <span class="nx">validatedData</span><span class="p">.</span><span class="nx">endTime</span> <span class="p">},</span> <span class="na">attendees</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">validatedData</span><span class="p">.</span><span class="nx">email</span> <span class="p">},</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span> <span class="p">},</span> <span class="p">],</span> <span class="na">conferenceData</span><span class="p">:</span> <span class="p">{</span> <span class="na">createRequest</span><span class="p">:</span> <span class="p">{</span> <span class="na">requestId</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">-</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">`</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">meetLink</span> <span class="o">=</span> <span class="nx">meetResponse</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">hangoutLink</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">googleEventId</span> <span class="o">=</span> <span class="nx">meetResponse</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> </code></pre> </div> <h3> 6. Persist the Booking and Notify Participants </h3> <ul> <li>Save the booking metadata (including <code>googleEventId</code> and <code>meetLink</code>) via Prisma.</li> <li>Send transactional emails to both attendee and host containing the Meet URL and calendar details.</li> <li>Display the Meet link instantly in the UI for confirmation during the demo.</li> </ul> <h3> 7. Handle Cancellations Gracefully </h3> <p>Use the stored <code>googleEventId</code> to delete the event from Google Calendar; fall back to database cleanup if the Google API call fails.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">oauth2Client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">google</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nc">OAuth2</span><span class="p">();</span> <span class="nx">oauth2Client</span><span class="p">.</span><span class="nf">setCredentials</span><span class="p">({</span> <span class="na">access_token</span><span class="p">:</span> <span class="nx">token</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">calendar</span> <span class="o">=</span> <span class="nx">google</span><span class="p">.</span><span class="nf">calendar</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">v3</span><span class="dl">"</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="nx">oauth2Client</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">calendar</span><span class="p">.</span><span class="nx">events</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">calendarId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="p">,</span> <span class="na">eventId</span><span class="p">:</span> <span class="nx">meeting</span><span class="p">.</span><span class="nx">googleEventId</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Failed to delete event from Google Calendar:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">meetingId</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> 8. Generate Availability Windows </h3> <p>Precompute upcoming slots based on host availability, duration, and existing bookings so the client component only surfaces valid times.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">date</span> <span class="o">=</span> <span class="nx">startDate</span><span class="p">;</span> <span class="nx">date</span> <span class="o">&lt;=</span> <span class="nx">endDate</span><span class="p">;</span> <span class="nx">date</span> <span class="o">=</span> <span class="nf">addDays</span><span class="p">(</span><span class="nx">date</span><span class="p">,</span> <span class="mi">1</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dayOfWeek</span> <span class="o">=</span> <span class="nf">format</span><span class="p">(</span><span class="nx">date</span><span class="p">,</span> <span class="dl">"</span><span class="s2">EEEE</span><span class="dl">"</span><span class="p">).</span><span class="nf">toUpperCase</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">dayAvailability</span> <span class="o">=</span> <span class="nx">availability</span><span class="p">?.</span><span class="nx">days</span><span class="p">?.</span><span class="nf">find</span><span class="p">(</span> <span class="p">(</span><span class="nx">d</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nx">day</span> <span class="o">===</span> <span class="nx">dayOfWeek</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">dayAvailability</span><span class="p">)</span> <span class="k">continue</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">slots</span> <span class="o">=</span> <span class="nf">generateAvailableTimeSlots</span><span class="p">(</span> <span class="nx">dayAvailability</span><span class="p">.</span><span class="nx">startTime</span><span class="p">,</span> <span class="nx">dayAvailability</span><span class="p">.</span><span class="nx">endTime</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">duration</span><span class="p">,</span> <span class="nx">bookings</span><span class="p">,</span> <span class="nf">format</span><span class="p">(</span><span class="nx">date</span><span class="p">,</span> <span class="dl">"</span><span class="s2">yyyy-MM-dd</span><span class="dl">"</span><span class="p">),</span> <span class="nx">availability</span><span class="p">.</span><span class="nx">timeGap</span> <span class="o">||</span> <span class="mi">0</span> <span class="p">);</span> <span class="nx">availableDates</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">date</span><span class="p">:</span> <span class="nf">format</span><span class="p">(</span><span class="nx">date</span><span class="p">,</span> <span class="dl">"</span><span class="s2">yyyy-MM-dd</span><span class="dl">"</span><span class="p">),</span> <span class="nx">slots</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> Demo Flow Checklist </h3> <ul> <li>Start with the architecture slide explaining token flow (User → Clerk → GCP APIs → Prisma).</li> <li>Walk through GCP Console steps live or via screenshots to reinforce the OAuth setup.</li> <li>Trigger a booking from the public page; highlight the Meet link returned instantly.</li> <li>Show the event in Google Calendar to prove API success.</li> <li>Cancel the booking to demonstrate lifecycle cleanup and calendar sync.</li> <li>Close with lessons on securing tokens and scaling availability logic.</li> </ul> <h3> Troubleshooting Tips </h3> <ul> <li> <strong>Token missing <code>calendar.events</code> scope:</strong> Reconnect the Google account after updating Clerk scope settings.</li> <li> <strong><code>insufficientPermissions</code> errors:</strong> Confirm the Google account accepted the requested scopes during consent.</li> <li> <strong>Stale access tokens:</strong> Clerk refreshes tokens automatically; if you cache them, request fresh credentials before calling the API.</li> <li> <strong>Double bookings:</strong> Always cross-check Prisma bookings before issuing a new slot to the calendar.</li> </ul> <h3> Resources &amp; Credits </h3> <ul> <li>Slides &amp; repo: <a href="https://github.com/Blackie360/mischief-meet" rel="noopener noreferrer">mischief-meet on GitHub</a> </li> <li>Event details: <a href="https://gdg.community.dev/events/details/google-gdg-nairobi-presents-devfest-nairobi-day-one-hands-on-workshops-amp-codelabs/" rel="noopener noreferrer">DevFest Nairobi Day One</a> </li> <li>Google Calendar API docs: <a href="https://developers.google.com/calendar" rel="noopener noreferrer">developers.google.com/calendar</a> </li> </ul> <p>See you at DevFest Nairobi 2025!</p> gcp api Enforcing Row Level Security in Supabase: A Deep Dive into LockIn's Multi-Tenant Architecture Felix Jumason Fri, 17 Oct 2025 13:46:19 +0000 https://forem.com/blackie360/-enforcing-row-level-security-in-supabase-a-deep-dive-into-lockins-multi-tenant-architecture-4hd2 https://forem.com/blackie360/-enforcing-row-level-security-in-supabase-a-deep-dive-into-lockins-multi-tenant-architecture-4hd2 <h2> Introduction </h2> <p>When building <strong>LockIn</strong>, a secure API key management platform for hackathons and small teams, we faced the critical challenge of implementing bulletproof data isolation in a multi-tenant environment. Supabase's Row Level Security (RLS) became our primary defense mechanism, but implementing it correctly proved to be more complex than initially anticipated.</p> <p>This blog post details our journey implementing RLS in Supabase, the challenges we encountered, and the solutions we developed to create a secure, scalable multi-tenant system.</p> <p>Repo link :<a href="https://github.com/Blackie360/lockin" rel="noopener noreferrer">https://github.com/Blackie360/lockin</a></p> <p>Live Demo:<a href="https://lockin-wine.vercel.app/" rel="noopener noreferrer">https://lockin-wine.vercel.app/</a></p> <h2> The Challenge: Multi-Tenant Data Isolation </h2> <h3> The Problem </h3> <p>LockIn needed to support multiple organizations, each with their own:</p> <ul> <li>Projects and environments</li> <li>Team members with different roles (owner, admin, member)</li> <li>Encrypted secrets and API keys</li> <li>Invitation system</li> </ul> <p><strong>Critical Requirement</strong>: Complete data isolation - users should never be able to access data from organizations they don't belong to, even if they try to bypass application-level security.</p> <h3> Why RLS Was Essential </h3> <p>While application-level security is important, RLS provides defense-in-depth by enforcing security policies directly at the database level. This ensures that even if there's a bug in our application code or if someone gains direct database access, the data remains protected.</p> <h2> Supabase RLS Implementation Strategy </h2> <h3> 1. Architecture Overview </h3> <p>Our RLS implementation follows a hierarchical security model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Organization (Top Level) ├── Members (Role-based access) ├── Projects (Org-scoped) ├── Environments (Project-scoped) ├── Secrets (Environment-scoped) └── Audit Logs (Org-scoped) </code></pre> </div> <h3> 2. Helper Functions for Role-Based Access </h3> <p>Before implementing policies, we created utility functions to check user permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Core function to get current authenticated user ID</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="k">public</span><span class="p">.</span><span class="n">current_user_id</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="nb">TEXT</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="n">COALESCE</span><span class="p">(</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'request.jwt.claims'</span><span class="p">,</span> <span class="k">true</span><span class="p">)::</span><span class="n">json</span><span class="o">-&gt;&gt;</span><span class="s1">'sub'</span><span class="p">,</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_user_id'</span><span class="p">,</span> <span class="k">true</span><span class="p">)</span> <span class="p">);</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="k">SQL</span> <span class="k">STABLE</span><span class="p">;</span> <span class="c1">-- Check if user is a member of an organization</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="k">public</span><span class="p">.</span><span class="n">is_organization_member</span><span class="p">(</span><span class="n">org_id</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BOOLEAN</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="k">EXISTS</span><span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">organization_id</span> <span class="o">=</span> <span class="n">org_id</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">is_organization_member</span><span class="p">.</span><span class="n">user_id</span> <span class="p">);</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="k">SQL</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span><span class="p">;</span> <span class="c1">-- Check if user has admin or owner privileges</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="k">public</span><span class="p">.</span><span class="n">is_organization_admin</span><span class="p">(</span><span class="n">org_id</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BOOLEAN</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="k">EXISTS</span><span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">organization_id</span> <span class="o">=</span> <span class="n">org_id</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">is_organization_admin</span><span class="p">.</span><span class="n">user_id</span> <span class="k">AND</span> <span class="k">role</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'admin'</span><span class="p">,</span> <span class="s1">'owner'</span><span class="p">)</span> <span class="p">);</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="k">SQL</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span><span class="p">;</span> <span class="c1">-- Check if user is specifically an owner</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="k">public</span><span class="p">.</span><span class="n">is_organization_owner</span><span class="p">(</span><span class="n">org_id</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">TEXT</span><span class="p">)</span> <span class="k">RETURNS</span> <span class="nb">BOOLEAN</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="k">EXISTS</span><span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">organization_id</span> <span class="o">=</span> <span class="n">org_id</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">is_organization_owner</span><span class="p">.</span><span class="n">user_id</span> <span class="k">AND</span> <span class="k">role</span> <span class="o">=</span> <span class="s1">'owner'</span> <span class="p">);</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="k">SQL</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span><span class="p">;</span> </code></pre> </div> <p><strong>Key Insight</strong>: Using <code>SECURITY DEFINER</code> ensures these functions run with elevated privileges, allowing them to check membership even when called from restricted contexts.</p> <h3> 3. Organization-Level Security Policies </h3> <p>Organizations are the top-level tenant boundary. Our policies ensure complete isolation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Enable RLS on organization table</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="c1">-- Users can only view organizations they're members of</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can view their organizations"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">organization_id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">-- Only admins can update organization settings</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Admins can update organization"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="k">FOR</span> <span class="k">UPDATE</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="n">is_organization_admin</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">()))</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">is_organization_admin</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">()));</span> <span class="c1">-- Only owners can delete organizations</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Owners can delete organization"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="k">FOR</span> <span class="k">DELETE</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="n">is_organization_owner</span><span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">()));</span> </code></pre> </div> <h3> 4. Member Management Security </h3> <p>Member management required careful consideration of role hierarchy and self-protection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="c1">-- Users can view members of organizations they belong to</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can view organization members"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">organization_id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">organization_id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">-- Admins can add new members</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Admins can add members"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">FOR</span> <span class="k">INSERT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">is_organization_admin</span><span class="p">(</span><span class="n">organization_id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">()));</span> <span class="c1">-- Admins can update member roles (but not their own)</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Admins can update member roles"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">FOR</span> <span class="k">UPDATE</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">is_organization_admin</span><span class="p">(</span><span class="n">organization_id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">())</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">!=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="c1">-- Self-protection</span> <span class="p">)</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span> <span class="n">is_organization_admin</span><span class="p">(</span><span class="n">organization_id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">())</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">!=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- Users can leave organizations (delete their own membership)</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can leave organization"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">FOR</span> <span class="k">DELETE</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">current_user_id</span><span class="p">());</span> </code></pre> </div> <h3> 5. Project and Secret-Level Security </h3> <p>Projects and secrets inherit organization-level permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Projects are organization-scoped</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"org members can select project"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">org_id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">organization_id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="k">public</span><span class="p">.</span><span class="n">current_user_id</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">-- Only admins can manage projects</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"admins can mutate project"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span> <span class="k">FOR</span> <span class="k">ALL</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="k">public</span><span class="p">.</span><span class="n">is_organization_admin</span><span class="p">(</span><span class="n">org_id</span><span class="p">,</span> <span class="k">public</span><span class="p">.</span><span class="n">current_user_id</span><span class="p">()))</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="k">public</span><span class="p">.</span><span class="n">is_organization_admin</span><span class="p">(</span><span class="n">org_id</span><span class="p">,</span> <span class="k">public</span><span class="p">.</span><span class="n">current_user_id</span><span class="p">()));</span> <span class="c1">-- Environment variables follow project permissions</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="k">public</span><span class="p">.</span><span class="n">environment</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"org members can select environment"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">environment</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">project_id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span> <span class="n">p</span> <span class="k">WHERE</span> <span class="n">p</span><span class="p">.</span><span class="n">org_id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">organization_id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="k">public</span><span class="p">.</span><span class="n">current_user_id</span><span class="p">()</span> <span class="p">)</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <h3> 6. Invitation System Security </h3> <p>The invitation system required special handling to allow non-members to accept invites:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="k">public</span><span class="p">.</span><span class="n">invitation</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="c1">-- Users can view invitations sent to their email</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can view their own invitations"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">invitation</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">email</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">email</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="k">user</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">-- Admins can create and manage invitations</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Admins can create invitations"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">invitation</span> <span class="k">FOR</span> <span class="k">INSERT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span> <span class="n">is_organization_admin</span><span class="p">(</span><span class="n">organization_id</span><span class="p">,</span> <span class="n">current_user_id</span><span class="p">())</span> <span class="k">AND</span> <span class="n">inviter_id</span> <span class="o">=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <h2> Major Challenges and Solutions </h2> <h3> Challenge 1: Authentication Context in RLS </h3> <p><strong>Problem</strong>: RLS policies need to identify the current user, but Supabase's <code>auth.uid()</code> doesn't work with Better Auth.</p> <p><strong>Solution</strong>: We implemented a custom <code>current_user_id()</code> function that works with Better Auth's JWT structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="k">public</span><span class="p">.</span><span class="n">current_user_id</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="nb">TEXT</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">SELECT</span> <span class="n">COALESCE</span><span class="p">(</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'request.jwt.claims'</span><span class="p">,</span> <span class="k">true</span><span class="p">)::</span><span class="n">json</span><span class="o">-&gt;&gt;</span><span class="s1">'sub'</span><span class="p">,</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_user_id'</span><span class="p">,</span> <span class="k">true</span><span class="p">)</span> <span class="p">);</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="k">SQL</span> <span class="k">STABLE</span><span class="p">;</span> </code></pre> </div> <p><strong>Implementation in Application</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Set user context for RLS</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">withUserContext</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span> <span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">operation</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nx">sql</span><span class="s2">`SET LOCAL app.current_user_id = </span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span> <span class="p">).</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">operation</span><span class="p">());</span> <span class="p">}</span> </code></pre> </div> <h3> Challenge 2: Performance with Complex Subqueries </h3> <p><strong>Problem</strong>: RLS policies with multiple subqueries were causing performance issues.</p> <p><strong>Initial Policy (Slow)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"slow_policy"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">secret</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">project_id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span> <span class="k">WHERE</span> <span class="n">org_id</span> <span class="k">IN</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">organization_id</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="k">WHERE</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="p">)</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p><strong>Solution</strong>: We optimized with strategic indexing and simplified policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Added composite indexes</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_member_user_org</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">organization_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_project_org</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span><span class="p">(</span><span class="n">org_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_secret_project</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">secret</span><span class="p">(</span><span class="n">project_id</span><span class="p">);</span> <span class="c1">-- Simplified policy with better performance</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"optimized_policy"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">secret</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span> <span class="n">m</span> <span class="k">JOIN</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span> <span class="n">p</span> <span class="k">ON</span> <span class="n">p</span><span class="p">.</span><span class="n">org_id</span> <span class="o">=</span> <span class="n">m</span><span class="p">.</span><span class="n">organization_id</span> <span class="k">WHERE</span> <span class="n">m</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="n">current_user_id</span><span class="p">()</span> <span class="k">AND</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">project_id</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <h3> Challenge 3: Testing RLS Policies </h3> <p><strong>Problem</strong>: Testing RLS policies is notoriously difficult because they depend on authentication context.</p> <p><strong>Solution</strong>: We created a comprehensive testing strategy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Test helper for RLS policies</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">testRLSPolicy</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span> <span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">testQuery</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Set user context</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">sql</span><span class="s2">`SET LOCAL app.current_user_id = </span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Run test query</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">testQuery</span><span class="p">();</span> <span class="c1">// Reset context</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">sql</span><span class="s2">`RESET app.current_user_id`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Usage in tests</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">RLS prevents cross-org access</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// User 1 should not see User 2's organization data</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span> <span class="nf">testRLSPolicy</span><span class="p">(</span><span class="dl">'</span><span class="s1">user-1</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">organization</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">organization</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">'</span><span class="s1">user-2-org</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> <span class="p">)</span> <span class="p">).</span><span class="nx">resolves</span><span class="p">.</span><span class="nf">toBeUndefined</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <h3> Challenge 4: Better Auth Integration </h3> <p><strong>Problem</strong>: Better Auth doesn't natively integrate with Supabase's RLS system.</p> <p><strong>Solution</strong>: We implemented a middleware layer to bridge the gap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Middleware to set RLS context</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">withRLSContext</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span> <span class="nx">session</span><span class="p">:</span> <span class="nx">Session</span><span class="p">,</span> <span class="nx">operation</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Set user context for RLS</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">sql</span><span class="s2">`SET LOCAL app.current_user_id = </span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Execute the operation</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">operation</span><span class="p">();</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="c1">// Always reset context</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nx">sql</span><span class="s2">`RESET app.current_user_id`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Usage in API routes</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">api</span><span class="p">.</span><span class="nf">getSession</span><span class="p">({</span> <span class="na">headers</span><span class="p">:</span> <span class="k">await</span> <span class="nf">headers</span><span class="p">()</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">withRLSContext</span><span class="p">(</span><span class="nx">session</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">organizations</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">organization</span><span class="p">.</span><span class="nf">findMany</span><span class="p">();</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">organizations</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> Challenge 5: Migration Complexity </h3> <p><strong>Problem</strong>: Enabling RLS on existing tables can break existing functionality.</p> <p><strong>Solution</strong>: We implemented a careful migration strategy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Step 1: Enable RLS without policies (allows all access temporarily)</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="c1">-- Step 2: Create policies in a separate transaction</span> <span class="k">BEGIN</span><span class="p">;</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"test_policy"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="k">COMMIT</span><span class="p">;</span> <span class="c1">-- Step 3: Test thoroughly, then replace with restrictive policies</span> <span class="k">BEGIN</span><span class="p">;</span> <span class="k">DROP</span> <span class="n">POLICY</span> <span class="nv">"test_policy"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span><span class="p">;</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"restrictive_policy"</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">TO</span> <span class="n">authenticated</span> <span class="k">USING</span> <span class="p">(</span><span class="cm">/* actual restriction logic */</span><span class="p">);</span> <span class="k">COMMIT</span><span class="p">;</span> </code></pre> </div> <h2> Performance Optimizations </h2> <h3> 1. Strategic Indexing </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Composite indexes for common RLS query patterns</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_member_user_org</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">organization_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_project_org</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">project</span><span class="p">(</span><span class="n">org_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_environment_project</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">environment</span><span class="p">(</span><span class="n">project_id</span><span class="p">);</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_secret_environment</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">secret</span><span class="p">(</span><span class="n">environment_id</span><span class="p">);</span> <span class="c1">-- Partial indexes for active records</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_active_members</span> <span class="k">ON</span> <span class="k">public</span><span class="p">.</span><span class="n">member</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> </code></pre> </div> <h3> 2. Query Optimization </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Optimized query using joins instead of subqueries</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getOrganizationWithProjects</span><span class="p">(</span><span class="nx">orgId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">db</span> <span class="p">.</span><span class="nf">select</span><span class="p">({</span> <span class="na">organization</span><span class="p">:</span> <span class="nx">organization</span><span class="p">,</span> <span class="na">projects</span><span class="p">:</span> <span class="nx">project</span> <span class="p">})</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">organization</span><span class="p">)</span> <span class="p">.</span><span class="nf">leftJoin</span><span class="p">(</span><span class="nx">project</span><span class="p">,</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">project</span><span class="p">.</span><span class="nx">orgId</span><span class="p">,</span> <span class="nx">organization</span><span class="p">.</span><span class="nx">id</span><span class="p">))</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span> <span class="nf">and</span><span class="p">(</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">organization</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">orgId</span><span class="p">),</span> <span class="c1">// RLS will automatically filter based on user membership</span> <span class="nx">sql</span><span class="s2">`true`</span> <span class="c1">// Placeholder - RLS handles the actual filtering</span> <span class="p">)</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Monitoring and Debugging </h2> <h3> 1. RLS Policy Testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Query to test RLS policies</span> <span class="k">EXPLAIN</span> <span class="p">(</span><span class="k">ANALYZE</span><span class="p">,</span> <span class="n">BUFFERS</span><span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="k">public</span><span class="p">.</span><span class="n">organization</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="s1">'test-org-id'</span><span class="p">;</span> <span class="c1">-- Check if RLS is working</span> <span class="k">SELECT</span> <span class="n">schemaname</span><span class="p">,</span> <span class="n">tablename</span><span class="p">,</span> <span class="n">rowsecurity</span> <span class="k">FROM</span> <span class="n">pg_tables</span> <span class="k">WHERE</span> <span class="n">schemaname</span> <span class="o">=</span> <span class="s1">'public'</span> <span class="k">AND</span> <span class="n">rowsecurity</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> </code></pre> </div> <h3> 2. Performance Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Log slow RLS queries</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">logSlowQueries</span><span class="p">(</span><span class="nx">query</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">duration</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">duration</span> <span class="o">&gt;</span> <span class="mi">1000</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Log queries over 1 second</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Slow RLS query detected: </span><span class="p">${</span><span class="nx">query</span><span class="p">}</span><span class="s2"> took </span><span class="p">${</span><span class="nx">duration</span><span class="p">}</span><span class="s2">ms`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Lessons Learned </h2> <h3> What Worked Well </h3> <ol> <li> <strong>Defense in Depth</strong>: RLS provided an additional security layer that caught potential issues</li> <li> <strong>Performance</strong>: After optimization, RLS overhead was minimal (&lt; 5ms per query)</li> <li> <strong>Testing</strong>: Comprehensive testing strategy caught several edge cases</li> <li> <strong>Documentation</strong>: Well-documented policies made maintenance easier</li> </ol> <h3> What Was Challenging </h3> <ol> <li> <strong>Complexity</strong>: RLS policies can become complex and hard to debug</li> <li> <strong>Performance</strong>: Initial implementation had significant performance overhead</li> <li> <strong>Testing</strong>: Testing RLS policies requires careful setup of authentication context</li> <li> <strong>Migration</strong>: Enabling RLS on existing tables requires careful planning</li> </ol> <h3> Best Practices Developed </h3> <ol> <li> <strong>Start Simple</strong>: Begin with basic policies and add complexity gradually</li> <li> <strong>Test Thoroughly</strong>: Create comprehensive test suites for RLS policies</li> <li> <strong>Monitor Performance</strong>: Always profile RLS policies for performance impact</li> <li> <strong>Document Everything</strong>: RLS policies should be well-documented for future maintenance</li> <li> <strong>Use Helper Functions</strong>: Abstract complex logic into reusable SQL functions</li> </ol> <h2> Conclusion </h2> <p>Implementing Row Level Security in Supabase for LockIn was a challenging but ultimately rewarding experience. While the initial setup was complex, the security benefits and peace of mind it provides are invaluable.</p> <p>The key takeaways for anyone implementing RLS in Supabase:</p> <ol> <li> <strong>Plan Your Security Model</strong>: Design your RLS policies around your application's security requirements</li> <li> <strong>Optimize for Performance</strong>: RLS can impact performance, so optimize early and often</li> <li> <strong>Test Comprehensively</strong>: RLS bugs can be security vulnerabilities</li> <li> <strong>Monitor and Debug</strong>: Have tools in place to monitor RLS performance and debug issues</li> <li> <strong>Document Everything</strong>: RLS policies are complex and need good documentation</li> </ol> <p>RLS in Supabase provides a powerful tool for implementing multi-tenant security, but it requires careful planning, implementation, and testing to be effective. For LockIn, it was the foundation that enabled us to build a secure, scalable platform for API key management.</p> <p><em>LockIn is now live and protecting API keys for hackathon teams worldwide. The RLS implementation ensures that even in the event of application bugs or security breaches, user data remains isolated and protected at the database level.</em></p> supabase database postgres From Local Development to AWS Production: Deploying a Go Image Resizing API with libvips Felix Jumason Sun, 05 Oct 2025 19:04:56 +0000 https://forem.com/blackie360/from-local-development-to-aws-production-deploying-a-go-image-resizing-api-with-libvips-3b2g https://forem.com/blackie360/from-local-development-to-aws-production-deploying-a-go-image-resizing-api-with-libvips-3b2g <h2> 🎯 Introduction </h2> <p>In this blog post, I'll walk you through the complete journey of taking a Go-based image resizing API from local development to production deployment on AWS. The application, called <strong>blendBeat</strong>, is a high-performance image processing service that can resize, compress, and optimize images on-the-fly using the powerful libvips library.</p> <p><strong>What makes this deployment interesting?</strong></p> <ul> <li>Native C library dependencies (libvips)</li> <li>Containerized Go application</li> <li>Auto-scaling infrastructure</li> <li>Production-ready monitoring and logging</li> <li>Cost-effective serverless architecture github repo: <a href="https://github.com/Blackie360/blendBeat" rel="noopener noreferrer">blendbeat repo</a> ---</li> </ul> <h2> 🏗️ The Application Architecture </h2> <h3> Core Components </h3> <p>Our blendBeat API consists of several key components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐ │ Web Client │───▶│ Application │───▶│ Image Cache │ │ (React/HTML) │ │ Load Balancer │ │ (In-Memory) │ └─────────────────┘ └──────────────────┘ └─────────────────┘ │ ▼ ┌──────────────────┐ │ ECS Fargate │ │ (Go + libvips) │ └──────────────────┘ </code></pre> </div> <h3> Technology Stack </h3> <ul> <li> <strong>Backend:</strong> Go 1.21 with Gin web framework</li> <li> <strong>Image Processing:</strong> libvips (via bimg Go wrapper)</li> <li> <strong>Caching:</strong> In-memory cache with TTL</li> <li> <strong>Containerization:</strong> Docker with multi-stage builds</li> <li> <strong>Orchestration:</strong> AWS ECS with Fargate</li> <li> <strong>Load Balancing:</strong> Application Load Balancer (ALB)</li> <li> <strong>Monitoring:</strong> CloudWatch Logs and Metrics</li> </ul> <h2> 🚀 The Deployment Journey </h2> <h3> Phase 1: Local Development Setup </h3> <p>The journey began with a well-structured Go application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/server/main.go</span> <span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"log"</span> <span class="s">"os"</span> <span class="s">"time"</span> <span class="s">"github.com/blackie/blendBeat/internal/cache"</span> <span class="s">"github.com/blackie/blendBeat/internal/handler"</span> <span class="s">"github.com/blackie/blendBeat/internal/processor"</span> <span class="s">"github.com/gin-gonic/gin"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Initialize components</span> <span class="n">imageProcessor</span> <span class="o">:=</span> <span class="n">processor</span><span class="o">.</span><span class="n">NewImageProcessor</span><span class="p">()</span> <span class="n">imageCache</span> <span class="o">:=</span> <span class="n">cache</span><span class="o">.</span><span class="n">NewImageCache</span><span class="p">(</span><span class="m">1</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">)</span> <span class="n">imageHandler</span> <span class="o">:=</span> <span class="n">handler</span><span class="o">.</span><span class="n">NewImageHandler</span><span class="p">(</span><span class="n">imageProcessor</span><span class="p">,</span> <span class="n">imageCache</span><span class="p">)</span> <span class="c">// Create router with CORS support</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">gin</span><span class="o">.</span><span class="n">Default</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">corsMiddleware</span><span class="p">())</span> <span class="c">// API endpoints</span> <span class="n">r</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/health"</span><span class="p">,</span> <span class="n">imageHandler</span><span class="o">.</span><span class="n">HealthCheck</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/resize"</span><span class="p">,</span> <span class="n">imageHandler</span><span class="o">.</span><span class="n">ResizeFromURL</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">POST</span><span class="p">(</span><span class="s">"/resize"</span><span class="p">,</span> <span class="n">imageHandler</span><span class="o">.</span><span class="n">ResizeFromUpload</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Static</span><span class="p">(</span><span class="s">"/static"</span><span class="p">,</span> <span class="s">"./static"</span><span class="p">)</span> <span class="c">// Start server</span> <span class="n">port</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"PORT"</span><span class="p">)</span> <span class="k">if</span> <span class="n">port</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">port</span> <span class="o">=</span> <span class="s">"8080"</span> <span class="p">}</span> <span class="n">log</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Starting blendBeat API on port %s"</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="s">":"</span> <span class="o">+</span> <span class="n">port</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Phase 2: Docker Containerization </h3> <p>The first major challenge was containerizing an application with native C library dependencies.</p> <h4> Challenge #1: libvips in Alpine Linux </h4> <p><strong>Problem:</strong> libvips requires specific system libraries that aren't available in standard Go images.</p> <p><strong>Solution:</strong> Multi-stage Docker build with Alpine Linux:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Build stage</span> <span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="c"># Install libvips and build dependencies</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> <span class="se">\ </span> vips-dev <span class="se">\ </span> pkgconfig <span class="se">\ </span> gcc <span class="se">\ </span> musl-dev <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> go.mod ./</span> <span class="k">RUN </span>go mod download <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>1 <span class="nv">GOOS</span><span class="o">=</span>linux go build <span class="nt">-a</span> <span class="nt">-installsuffix</span> cgo <span class="nt">-o</span> blendBeat ./cmd/server <span class="c"># Runtime stage</span> <span class="k">FROM</span><span class="s"> alpine:latest</span> <span class="c"># Install runtime dependencies</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> <span class="se">\ </span> vips <span class="se">\ </span> ca-certificates <span class="se">\ </span> tzdata <span class="c"># Create non-root user for security</span> <span class="k">RUN </span>addgroup <span class="nt">-g</span> 1001 <span class="nt">-S</span> appgroup <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">-u</span> 1001 <span class="nt">-S</span> appuser <span class="nt">-G</span> appgroup <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/blendBeat .</span> <span class="k">COPY</span><span class="s"> --from=builder /app/static ./static</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> appuser:appgroup /app <span class="k">USER</span><span class="s"> appuser</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s --start-period=5s --retries=3 \</span> CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1 <span class="k">CMD</span><span class="s"> ["./blendBeat"]</span> </code></pre> </div> <p><strong>Key Learnings:</strong></p> <ul> <li>Always use multi-stage builds for Go applications</li> <li>Install both dev and runtime packages for native libraries</li> <li>Use non-root users for security</li> <li>Implement proper health checks</li> </ul> <h3> Phase 3: AWS Infrastructure Design </h3> <h4> Challenge #2: Choosing the Right AWS Service </h4> <p><strong>Options Considered:</strong></p> <ol> <li> <strong>AWS Lambda</strong> - Serverless, but libvips requires custom runtime</li> <li> <strong>AWS EC2</strong> - Full control, but requires manual management</li> <li> <strong>AWS ECS with Fargate</strong> - Container orchestration with serverless containers</li> <li> <strong>AWS App Runner</strong> - Simple deployment, but less control</li> </ol> <p><strong>Decision:</strong> AWS ECS with Fargate</p> <p><strong>Reasoning:</strong></p> <ul> <li>Native Docker support</li> <li>Auto-scaling capabilities</li> <li>Managed infrastructure</li> <li>Cost-effective for variable workloads</li> <li>Easy integration with other AWS services</li> </ul> <h4> Infrastructure Architecture </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet │ ▼ ┌─────────────────┐ │ Route 53 │ (Optional: Custom Domain) └─────────────────┘ │ ▼ ┌─────────────────┐ │ ALB │ (Application Load Balancer) └─────────────────┘ │ ▼ ┌─────────────────┐ │ ECS Fargate │ (Container Orchestration) │ ┌───────────┐ │ │ │ blendBeat │ │ (2+ Tasks) │ │ Container │ │ │ └───────────┘ │ └─────────────────┘ │ ▼ ┌─────────────────┐ │ CloudWatch │ (Logs &amp; Metrics) └─────────────────┘ </code></pre> </div> <h3> Phase 4: Infrastructure as Code </h3> <h4> Challenge #3: Complex AWS Resource Dependencies </h4> <p><strong>Problem:</strong> ECS services require VPC, subnets, security groups, load balancers, and IAM roles - all with specific dependencies.</p> <p><strong>Solution:</strong> Automated infrastructure setup script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># aws/setup-infrastructure.sh</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nv">AWS_REGION</span><span class="o">=</span><span class="s2">"us-east-1"</span> <span class="nv">AWS_ACCOUNT_ID</span><span class="o">=</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--query</span> Account <span class="nt">--output</span> text<span class="si">)</span> <span class="nb">echo</span> <span class="s2">"🏗️ Setting up AWS infrastructure for blendBeat API..."</span> <span class="c"># Create ECR repository</span> aws ecr create-repository <span class="se">\</span> <span class="nt">--repository-name</span> blendbeat <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$AWS_REGION</span> <span class="se">\</span> <span class="nt">--image-scanning-configuration</span> <span class="nv">scanOnPush</span><span class="o">=</span><span class="nb">true</span> <span class="c"># Create VPC and networking</span> <span class="nv">VPC_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 create-vpc <span class="se">\</span> <span class="nt">--cidr-block</span> 10.0.0.0/16 <span class="se">\</span> <span class="nt">--tag-specifications</span> <span class="s1">'ResourceType=vpc,Tags=[{Key=Name,Value=blendbeat-vpc}]'</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Vpc.VpcId'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="c"># Create subnets, security groups, load balancer...</span> <span class="c"># (Full script available in repository)</span> </code></pre> </div> <p><strong>Key Components Created:</strong></p> <ul> <li> <strong>VPC</strong> with public subnets across 2 AZs</li> <li> <strong>Security Groups</strong> with proper port configurations</li> <li> <strong>Application Load Balancer</strong> with health checks</li> <li> <strong>ECS Cluster</strong> with Fargate capacity provider</li> <li> <strong>IAM Roles</strong> for task execution and task definition</li> <li> <strong>CloudWatch Log Group</strong> for centralized logging</li> </ul> <h3> Phase 5: ECS Task Definition </h3> <h4> Challenge #4: Configuring ECS for Production </h4> <p><strong>Problem:</strong> ECS task definitions require careful configuration of CPU, memory, networking, and health checks.</p> <p><strong>Solution:</strong> Comprehensive task definition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"blendbeat-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"networkMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awsvpc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requiresCompatibilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">],</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"512"</span><span class="p">,</span><span class="w"> </span><span class="nl">"memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1024"</span><span class="p">,</span><span class="w"> </span><span class="nl">"executionRoleArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::ACCOUNT:role/ecsTaskExecutionRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"taskRoleArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::ACCOUNT:role/ecsTaskRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerDefinitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"blendbeat-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ACCOUNT.dkr.ecr.REGION.amazonaws.com/blendbeat:latest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"portMappings"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"containerPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">8080</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="p">}],</span><span class="w"> </span><span class="nl">"essential"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"healthCheck"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"CMD-SHELL"</span><span class="p">,</span><span class="w"> </span><span class="s2">"wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1"</span><span class="p">],</span><span class="w"> </span><span class="nl">"interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"retries"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"startPeriod"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ecs/blendbeat-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Key Configuration Decisions:</strong></p> <ul> <li> <strong>CPU/Memory:</strong> 512 CPU units, 1GB RAM (suitable for image processing)</li> <li> <strong>Health Checks:</strong> 60-second start period for libvips initialization</li> <li> <strong>Logging:</strong> CloudWatch integration for centralized monitoring</li> <li> <strong>Networking:</strong> awsvpc mode for enhanced networking features</li> </ul> <h3> Phase 6: Deployment Automation </h3> <h4> Challenge #5: CI/CD Pipeline Integration </h4> <p><strong>Problem:</strong> Manual deployment process is error-prone and not scalable.</p> <p><strong>Solution:</strong> GitHub Actions workflow with automated deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy-aws.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to AWS</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build, tag, and push image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$GITHUB_SHA .</span> <span class="s">docker push $ECR_REGISTRY/$ECR_REPOSITORY:$GITHUB_SHA</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to ECS</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecs-deploy-task-definition@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">task-definition</span><span class="pi">:</span> <span class="s">aws/ecs-task-definition.json</span> <span class="na">service</span><span class="pi">:</span> <span class="s">blendbeat-api-service</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">blendbeat-cluster</span> <span class="na">wait-for-service-stability</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h2> 🎯 The Deployment Process </h2> <h3> Step 1: Infrastructure Setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure AWS CLI (if not already done)</span> aws configure <span class="c"># Run infrastructure setup</span> ./aws/setup-infrastructure.sh </code></pre> </div> <p><strong>What happened:</strong></p> <ul> <li>Created ECR repository for container images</li> <li>Set up VPC with public subnets across 2 availability zones</li> <li>Configured security groups for HTTP/HTTPS traffic</li> <li>Created Application Load Balancer with target group</li> <li>Set up ECS cluster with Fargate capacity provider</li> <li>Created IAM roles for ECS task execution</li> <li>Configured CloudWatch log group</li> </ul> <h3> Step 2: Container Build and Push </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build and push Docker image</span> ./aws/deploy-ecs.sh </code></pre> </div> <p><strong>What happened:</strong></p> <ul> <li>Built Docker image with libvips dependencies</li> <li>Tagged image for ECR repository</li> <li>Pushed image to Amazon ECR</li> <li>Updated ECS service with new image</li> </ul> <h3> Step 3: Service Creation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Register task definition</span> aws ecs register-task-definition <span class="nt">--cli-input-json</span> file://aws/ecs-task-definition.json <span class="c"># Create ECS service</span> aws ecs create-service <span class="nt">--cli-input-json</span> file://aws/ecs-service.json </code></pre> </div> <p><strong>What happened:</strong></p> <ul> <li>Registered ECS task definition with proper resource allocation</li> <li>Created ECS service with 2 running tasks</li> <li>Configured load balancer integration</li> <li>Set up health checks and auto-scaling</li> </ul> <h2> 🚨 Challenges and Solutions </h2> <h3> Challenge #1: libvips Native Dependencies </h3> <p><strong>Problem:</strong> libvips requires specific system libraries that aren't available in standard Go Docker images.</p> <p><strong>Impact:</strong> Application wouldn't start in containerized environment.</p> <p><strong>Solution:</strong></p> <ul> <li>Used Alpine Linux base image with vips package</li> <li>Installed both development and runtime packages</li> <li>Used multi-stage build to minimize final image size</li> <li>Implemented proper health checks for initialization time</li> </ul> <p><strong>Code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Install libvips and build dependencies</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> <span class="se">\ </span> vips-dev <span class="se">\ </span> pkgconfig <span class="se">\ </span> gcc <span class="se">\ </span> musl-dev <span class="c"># Runtime stage</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> <span class="se">\ </span> vips <span class="se">\ </span> ca-certificates <span class="se">\ </span> tzdata </code></pre> </div> <h3> Challenge #2: ECS Health Check Configuration </h3> <p><strong>Problem:</strong> libvips initialization takes time, causing health checks to fail during container startup.</p> <p><strong>Impact:</strong> ECS tasks were marked as unhealthy and terminated.</p> <p><strong>Solution:</strong></p> <ul> <li>Increased health check start period to 60 seconds</li> <li>Used wget instead of curl for health checks (smaller footprint)</li> <li>Implemented proper health check endpoint in application</li> </ul> <p><strong>Configuration:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"healthCheck"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"CMD-SHELL"</span><span class="p">,</span><span class="w"> </span><span class="s2">"wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1"</span><span class="p">],</span><span class="w"> </span><span class="nl">"interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"retries"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"startPeriod"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Challenge #3: Load Balancer Target Group Configuration </h3> <p><strong>Problem:</strong> ECS service creation failed due to incorrect target group ARN in service configuration.</p> <p><strong>Impact:</strong> Service couldn't be created, blocking deployment.</p> <p><strong>Solution:</strong></p> <ul> <li>Automated target group ARN retrieval during infrastructure setup</li> <li>Updated service configuration with correct ARN</li> <li>Implemented validation checks for resource dependencies</li> </ul> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get target group ARN dynamically</span> <span class="nv">TARGET_GROUP_ARN</span><span class="o">=</span><span class="si">$(</span>aws elbv2 create-target-group <span class="se">\</span> <span class="nt">--name</span> blendbeat-tg <span class="se">\</span> <span class="nt">--protocol</span> HTTP <span class="se">\</span> <span class="nt">--port</span> 8080 <span class="se">\</span> <span class="nt">--vpc-id</span> <span class="nv">$VPC_ID</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'TargetGroups[0].TargetGroupArn'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="c"># Update service configuration</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s|TARGET_GROUP_PLACEHOLDER|</span><span class="nv">$TARGET_GROUP_ARN</span><span class="s2">|g"</span> aws/ecs-service.json </code></pre> </div> <h3> Challenge #4: Resource Naming Conflicts </h3> <p><strong>Problem:</strong> AWS resources with similar names already existed, causing creation failures.</p> <p><strong>Impact:</strong> Infrastructure setup would fail on subsequent runs.</p> <p><strong>Solution:</strong></p> <ul> <li>Implemented proper error handling for existing resources</li> <li>Used unique naming conventions with timestamps</li> <li>Added existence checks before resource creation</li> </ul> <p><strong>Code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check if resource exists before creating</span> <span class="nv">VPC_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 describe-vpcs <span class="nt">--filters</span> <span class="s2">"Name=tag:Name,Values=blendbeat-vpc"</span> <span class="nt">--query</span> <span class="s1">'Vpcs[0].VpcId'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$VPC_ID</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"None"</span> <span class="o">]</span> <span class="o">||</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$VPC_ID</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Creating VPC..."</span> <span class="nv">VPC_ID</span><span class="o">=</span><span class="si">$(</span>aws ec2 create-vpc <span class="nt">--cidr-block</span> 10.0.0.0/16 ...<span class="si">)</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"VPC already exists: </span><span class="nv">$VPC_ID</span><span class="s2">"</span> <span class="k">fi</span> </code></pre> </div> <h3> Challenge #5: Memory and CPU Allocation </h3> <p><strong>Problem:</strong> Initial task definition had insufficient resources for image processing workloads.</p> <p><strong>Impact:</strong> Tasks were being killed due to out-of-memory errors.</p> <p><strong>Solution:</strong></p> <ul> <li>Increased memory allocation to 1GB</li> <li>Set CPU to 512 units (0.5 vCPU)</li> <li>Implemented proper resource monitoring</li> <li>Added auto-scaling based on CPU and memory usage</li> </ul> <p><strong>Configuration:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"512"</span><span class="p">,</span><span class="w"> </span><span class="nl">"memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1024"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requiresCompatibilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 📊 Performance and Monitoring </h2> <h3> Application Performance </h3> <p><strong>Response Times:</strong></p> <ul> <li>Health check: ~50ms</li> <li>Image resize (400x300): ~200-500ms</li> <li>Image resize (800x600): ~500-1000ms</li> <li>Cache hit: ~10-20ms</li> </ul> <p><strong>Throughput:</strong></p> <ul> <li>Concurrent requests: 50+ (with 2 tasks)</li> <li>Images per minute: 200-300</li> <li>Cache hit ratio: 60-80%</li> </ul> <h3> Monitoring Setup </h3> <p><strong>CloudWatch Metrics:</strong></p> <ul> <li>ECS task CPU and memory utilization</li> <li>ALB request count and response time</li> <li>Target group health check status</li> <li>Custom application metrics (cache size, processing time)</li> </ul> <p><strong>Logging:</strong></p> <ul> <li>Centralized logging in CloudWatch</li> <li>Structured JSON logs for easy parsing</li> <li>Error tracking and alerting</li> <li>Performance monitoring</li> </ul> <p><strong>Alerts:</strong></p> <ul> <li>High CPU utilization (&gt;80%)</li> <li>High memory usage (&gt;90%)</li> <li>Failed health checks</li> <li>Error rate &gt;5%</li> </ul> <h2> 💰 Cost Analysis </h2> <h3> Monthly Cost Breakdown </h3> <p><strong>ECS Fargate (2 tasks):</strong></p> <ul> <li>CPU: 2 × 0.5 vCPU × $0.04048 = $0.04/hour = ~$30/month</li> <li>Memory: 2 × 1GB × $0.004445 = $0.009/hour = ~$6.50/month</li> </ul> <p><strong>Application Load Balancer:</strong></p> <ul> <li>Fixed cost: $16.20/month</li> <li>LCU usage: ~$5-10/month (depending on traffic)</li> </ul> <p><strong>ECR Storage:</strong></p> <ul> <li>Image storage: ~$1-2/month</li> </ul> <p><strong>CloudWatch Logs:</strong></p> <ul> <li>Log ingestion: ~$2-5/month</li> <li>Log storage: ~$1-2/month</li> </ul> <p><strong>Total Estimated Cost: ~$60-70/month</strong></p> <h3> Cost Optimization Strategies </h3> <ol> <li> <strong>Auto-scaling:</strong> Scale down during low-traffic periods</li> <li> <strong>Spot Instances:</strong> Use Spot capacity for non-critical workloads</li> <li> <strong>Reserved Capacity:</strong> Consider Reserved Instances for predictable workloads</li> <li> <strong>Log Retention:</strong> Set appropriate log retention periods</li> <li> <strong>Image Optimization:</strong> Use smaller base images to reduce storage costs</li> </ol> <h2> 🔧 Production Readiness Checklist </h2> <h3> Security </h3> <ul> <li>[x] Non-root user in containers</li> <li>[x] Security groups with minimal required ports</li> <li>[x] IAM roles with least privilege</li> <li>[x] VPC with private subnets (optional)</li> <li>[x] HTTPS termination at ALB (recommended)</li> </ul> <h3> Monitoring </h3> <ul> <li>[x] CloudWatch logs integration</li> <li>[x] Health check endpoints</li> <li>[x] Application metrics</li> <li>[x] Error tracking</li> <li>[x] Performance monitoring</li> </ul> <h3> Scalability </h3> <ul> <li>[x] Auto-scaling configuration</li> <li>[x] Load balancer distribution</li> <li>[x] Stateless application design</li> <li>[x] Caching implementation</li> <li>[x] Resource optimization</li> </ul> <h3> Reliability </h3> <ul> <li>[x] Multi-AZ deployment</li> <li>[x] Health check configuration</li> <li>[x] Graceful shutdown handling</li> <li>[x] Error handling and recovery</li> <li>[x] Circuit breaker patterns</li> </ul> <h2> 🚀 Future Enhancements </h2> <h3> Planned Improvements </h3> <ol> <li> <p><strong>Custom Domain and SSL:</strong></p> <ul> <li>Route 53 hosted zone</li> <li>ACM SSL certificate</li> <li>HTTPS redirection</li> </ul> </li> <li> <p><strong>Enhanced Monitoring:</strong></p> <ul> <li>Custom CloudWatch dashboards</li> <li>SNS alerts for critical issues</li> <li>X-Ray tracing for request flow</li> </ul> </li> <li> <p><strong>Auto-scaling:</strong></p> <ul> <li>Target tracking scaling policies</li> <li>Predictive scaling based on historical data</li> <li>Scheduled scaling for known traffic patterns</li> </ul> </li> <li> <p><strong>Caching Layer:</strong></p> <ul> <li>Redis ElastiCache for distributed caching</li> <li>CDN integration for static assets</li> <li>Edge caching for global performance</li> </ul> </li> <li> <p><strong>Security Enhancements:</strong></p> <ul> <li>WAF integration for DDoS protection</li> <li>Secrets Manager for sensitive configuration</li> <li>VPC endpoints for AWS service communication</li> </ul> </li> </ol> <h3> Advanced Features </h3> <ol> <li> <p><strong>Multi-format Support:</strong></p> <ul> <li>AVIF format support</li> <li>HEIF/HEIC processing</li> <li>Animated GIF handling</li> </ul> </li> <li> <p><strong>Advanced Processing:</strong></p> <ul> <li>Watermarking</li> <li>Image filters and effects</li> <li>Batch processing capabilities</li> </ul> </li> <li> <p><strong>API Enhancements:</strong></p> <ul> <li>Rate limiting</li> <li>API versioning</li> <li>OpenAPI documentation</li> <li>Authentication and authorization</li> </ul> </li> </ol> <h2> 📚 Lessons Learned </h2> <h3> Technical Lessons </h3> <ol> <li><p><strong>Native Dependencies:</strong> Always consider native library requirements when choosing containerization strategies.</p></li> <li><p><strong>Health Checks:</strong> Implement proper health checks with appropriate timeouts for applications with initialization overhead.</p></li> <li><p><strong>Resource Allocation:</strong> Monitor and adjust resource allocation based on actual usage patterns, not theoretical requirements.</p></li> <li><p><strong>Infrastructure as Code:</strong> Use automated scripts for infrastructure setup to ensure consistency and reproducibility.</p></li> <li><p><strong>Monitoring First:</strong> Implement monitoring and logging from day one, not as an afterthought.</p></li> </ol> <h3> Process Lessons </h3> <ol> <li><p><strong>Incremental Deployment:</strong> Deploy in small, incremental steps to identify issues early.</p></li> <li><p><strong>Testing in Production-like Environment:</strong> Use staging environments that mirror production as closely as possible.</p></li> <li><p><strong>Documentation:</strong> Document every decision and configuration for future reference and team collaboration.</p></li> <li><p><strong>Cost Monitoring:</strong> Set up cost alerts and regular cost reviews to avoid unexpected bills.</p></li> <li><p><strong>Security by Design:</strong> Implement security considerations from the beginning, not as a retrofit.</p></li> </ol> <h2> 🎉 Conclusion </h2> <p>Deploying the blendBeat API to AWS was a comprehensive journey that involved containerization, infrastructure design, and production deployment. The key to success was:</p> <ol> <li> <strong>Understanding the requirements</strong> - Native dependencies, performance needs, and scalability requirements</li> <li> <strong>Choosing the right tools</strong> - ECS Fargate for container orchestration, ALB for load balancing</li> <li> <strong>Automating everything</strong> - Infrastructure setup, deployment, and monitoring</li> <li> <strong>Planning for production</strong> - Security, monitoring, and cost optimization</li> </ol> <p>The final result is a production-ready, scalable image processing API that can handle real-world workloads while maintaining cost efficiency and operational simplicity.</p> <p><strong>Key Metrics:</strong></p> <ul> <li> <strong>Deployment Time:</strong> ~15 minutes (fully automated)</li> <li> <strong>Monthly Cost:</strong> ~$60-70</li> <li> <strong>Availability:</strong> 99.9%+ (with proper monitoring)</li> <li> <strong>Scalability:</strong> 0 to 100+ concurrent requests</li> <li> <strong>Performance:</strong> Sub-second response times for most operations</li> </ul> <p>The blendBeat API is now live at <code>http://blendbeat-alb-968984597.us-east-1.elb.amazonaws.com</code> and ready to serve production traffic!</p> <h2> 📖 Resources and References </h2> <ul> <li><a href="https://docs.aws.amazon.com/ecs/" rel="noopener noreferrer">AWS ECS Documentation</a></li> <li><a href="https://docs.docker.com/develop/dev-best-practices/dockerfile_best-practices/" rel="noopener noreferrer">Docker Multi-stage Builds</a></li> <li><a href="https://libvips.github.io/libvips/" rel="noopener noreferrer">libvips Documentation</a></li> <li><a href="https://github.com/h2non/bimg" rel="noopener noreferrer">Go bimg Library</a></li> <li><a href="https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html" rel="noopener noreferrer">AWS ECS Task Definition Parameters</a></li> </ul> <p><em>This blog post documents the complete deployment journey of blendBeat API from local development to AWS production. The code and configurations are available in the project repository for reference and reuse.</em><br> Repo:<a href="https://github.com/Blackie360/blendBeat" rel="noopener noreferrer">https://github.com/Blackie360/blendBeat</a></p> go aws api 🚀 How to Configure AWS CLI for the First Time Felix Jumason Mon, 25 Aug 2025 12:51:44 +0000 https://forem.com/blackie360/how-to-configure-aws-cli-for-the-first-time-4olg https://forem.com/blackie360/how-to-configure-aws-cli-for-the-first-time-4olg <p>If you’re starting your cloud journey with Amazon Web Services (AWS), one of the first things you’ll want to set up is the AWS Command Line Interface (CLI). The AWS CLI lets you manage your AWS services directly from your terminal — faster and more scriptable than clicking around in the console.</p> <p>In this guide, I’ll walk you through configuring AWS CLI for the very first time.<br> **</p> <h2> ✅ Step 1: Install AWS CLI** </h2> <p>First, make sure the AWS CLI is installed on your system.</p> <ul> <li> Linux / macOS: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install </code></pre> </div> <ul> <li> Windows:Download the installer from <a href="https://aws.amazon.com/cli/" rel="noopener noreferrer">AWS CLI downloads page</a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws --version </code></pre> </div> <h2> Step 2: Create an IAM User </h2> <p>For security reasons, don’t use the root AWS account. Instead:<br> Log into the AWS Management Console.<br> Go to IAM → Users → Add user.<br> Create a new user with programmatic access.<br> Attach permissions (you can start with AdministratorAccess for testing, but use least privilege in real projects).</p> <p><strong>Go to IAM → Users → Add user.</strong><br> For me I already have some users added but if it is you first time it will be blank.<br> Click create user<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpjy2889o2y0olctgszi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpjy2889o2y0olctgszi.png" alt="Go to IAM → Users → Add user." width="800" height="390"></a></p> <p><strong>User Details</strong> <br> Give your user a unique user name <br> you can give the user AWS management console but its not best practice so I wont give my new users </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvr9ydq0hx7jvvp2kbbbg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvr9ydq0hx7jvvp2kbbbg.png" alt="user" width="800" height="390"></a></p> <p>*<em>Add user to a group *</em><br> User groups are best-practice way to manage user's permissions by job functions.<br> For this user I will add him to the admin group </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Funklzs6alosubo6q646r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Funklzs6alosubo6q646r.png" alt="user" width="800" height="390"></a></p> <p>For this user I will add him to the admin group </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu0dxncooypei8bu4c65.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu0dxncooypei8bu4c65.png" alt="user group" width="800" height="390"></a></p> <p>Hurrah you have successfully created a user</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jllz3qcgzaa6wz8rg52.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1jllz3qcgzaa6wz8rg52.png" alt="image" width="800" height="302"></a></p> <p>Now we want to get access Key and Access secret <br> click on the user and it will open a similar page like below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyksukpftfgvwjf3ejyj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyksukpftfgvwjf3ejyj.png" alt="cli" width="800" height="378"></a><br> Here click on the CLI one </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitsly33qhrxlfos4m4ah.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitsly33qhrxlfos4m4ah.png" alt="blurry keys" width="800" height="378"></a></p> <p>Lets go back to our local terminal to configure AWS </p> <h2> ✅ Step 3: Run aws configure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws configure </code></pre> </div> <p>It will ask you for four inputs:</p> <ol> <li>*<em>AWS Access Key ID *</em>→ Paste your key.</li> <li> <strong>AWS Secret Access Key</strong> → Paste your secret.</li> <li> <strong>Default region name</strong> → Example: us-east-1, eu-west-1, ap-south-1.</li> <li> <strong>Default output format</strong> → Options: json, table, or text. (json is recommended).</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgy3yifpkya35myg39rf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgy3yifpkya35myg39rf.png" alt="cli" width="800" height="583"></a><br> .</p> <h2> ✅ Step 4: Verify Configuration </h2> <p>To check if everything works, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws s3 ls </code></pre> </div> <p>If you have S3 buckets, <strong>you’ll see them listed</strong>. If not, it should return nothing but** no error means** your setup is <strong>successful! 🎉</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwl1b3x6k710af3dz0ouh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwl1b3x6k710af3dz0ouh.png" alt="s3" width="800" height="583"></a></p> aws cli # 🚀 Introduction to AWS SQS (Simple Queue Service) Felix Jumason Wed, 23 Apr 2025 12:53:15 +0000 https://forem.com/blackie360/-introduction-to-aws-sqs-simple-queue-service-2e00 https://forem.com/blackie360/-introduction-to-aws-sqs-simple-queue-service-2e00 <p>In today's cloud-native world, <strong>decoupling applications</strong> is key to building scalable, resilient systems. That's where <strong>AWS SQS</strong> comes in — a fully managed message queuing service that enables asynchronous communication between distributed systems.</p> <p>Whether you're building microservices or event-driven applications, <strong>Amazon Simple Queue Service (SQS)</strong> offers a reliable, secure, and scalable solution for managing message queues without managing your own queuing infrastructure.</p> <h2> 📦 What is AWS SQS? </h2> <p><strong>Amazon SQS</strong> is a distributed message queuing service designed to facilitate communication between software components without requiring them to be tightly coupled.</p> <blockquote> <p>Think of SQS as a post office: senders post letters (messages), and recipients collect them at their convenience.</p> </blockquote> <h3> 🧩 Key Features of AWS SQS </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>Fully Managed</strong></td> <td>No need to provision or manage servers.</td> </tr> <tr> <td><strong>Scalable</strong></td> <td>Automatically scales to handle any message volume.</td> </tr> <tr> <td><strong>Durable</strong></td> <td>Stores messages across multiple AZs (Availability Zones).</td> </tr> <tr> <td><strong>Secure</strong></td> <td>Offers end-to-end encryption, access control with IAM.</td> </tr> <tr> <td><strong>Flexible Delivery</strong></td> <td>Supports standard and FIFO queues.</td> </tr> <tr> <td><strong>Dead Letter Queues</strong></td> <td>Handles message processing failures.</td> </tr> </tbody> </table></div> <h2> 🛠️ Types of Queues in SQS </h2> <h3> 1. <strong>Standard Queues</strong> </h3> <ul> <li><strong>High throughput</strong></li> <li> <strong>At-least-once delivery</strong> (possible duplicates)</li> <li><strong>Best-effort ordering</strong></li> </ul> <h3> 2. <strong>FIFO (First-In-First-Out) Queues</strong> </h3> <ul> <li><strong>Exactly-once processing</strong></li> <li><strong>Strict message ordering</strong></li> <li>Ideal for financial or transactional systems</li> </ul> <h2> 🔄 How AWS SQS Works </h2> <ol> <li> <strong>Producer</strong> sends a message to the queue. </li> <li> <strong>SQS</strong> holds the message securely. </li> <li> <strong>Consumer</strong> retrieves the message for processing. </li> <li>Once processed, the message is deleted.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61h4s0zqxrmbygt9wwja.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61h4s0zqxrmbygt9wwja.png" alt="SQS Workflow" width="800" height="311"></a></p> <p><em>Simple message flow: Producer ➡ SQS ➡ Consumer</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9esqashdxtrvz7i1n2c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9esqashdxtrvz7i1n2c.png" alt="sqs" width="800" height="429"></a></p> <h2> 🔐 Security in SQS </h2> <ul> <li> <strong>Encryption</strong>: Messages can be encrypted in-transit and at-rest using AWS KMS.</li> <li> <strong>Access Control</strong>: Use <strong>IAM roles and policies</strong> to restrict access.</li> <li> <strong>VPC Endpoints</strong>: For private, secure communication.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmaskttb54jorgamjw80l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmaskttb54jorgamjw80l.png" alt="kms+sqs+sns" width="800" height="469"></a></p> <h2> 🚧 Use Cases for AWS SQS </h2> <ul> <li><strong>Decoupling microservices</strong></li> <li><strong>Batch processing of tasks</strong></li> <li><strong>Order processing systems</strong></li> <li><strong>Log and event pipelines</strong></li> <li><strong>Buffering messages before database writes</strong></li> </ul> <blockquote> <p>💡 <em>Pro Tip:</em> Combine SQS with <strong>AWS Lambda</strong> to process messages in a serverless way!</p> </blockquote> <h2> ⚙️ Sample SQS Code (Using Node.js AWS SDK) </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sqs</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SQS</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">MessageBody</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Hello from Felix!</span><span class="dl">'</span><span class="p">,</span> <span class="na">QueueUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://sqs.us-east-1.amazonaws.com/123456789012/my-queue</span><span class="dl">'</span> <span class="p">};</span> <span class="nx">sqs</span><span class="p">.</span><span class="nf">sendMessage</span><span class="p">(</span><span class="nx">params</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">else</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Message Sent:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">MessageId</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>📏 Best Practices for Using SQS<br> ✅ Use Dead Letter Queues (DLQ) to catch failed messages<br> ✅ Set Visibility Timeout wisely<br> ✅ Use Long Polling to reduce cost and increase efficiency<br> ✅ Monitor with Amazon CloudWatch<br> ✅ Secure queues with IAM policies</p> <p>🌍 Real-World Example: Order Management System<br> In an e-commerce app:</p> <p>A customer places an order.</p> <p>The app sends an order message to an SQS queue.</p> <p>A backend service processes the order from the queue.</p> <p>Another service sends out notifications or invoices asynchronously.</p> <p>Architecture of e-commerce using SQS queues</p> <p>🧮 Pricing Overview<br> SQS is pay-as-you-go, charged by:</p> <p>Number of requests (first 1M/month free)</p> <p>Payload size</p> <p>Data transfer (if applicable)</p> <p>It’s cost-effective for both startups and enterprise-grade applications.</p> <p>🧠 Conclusion<br> Amazon SQS plays a crucial role in decoupling services, buffering workloads, and increasing reliability of modern cloud applications. It’s a backbone service for developers building scalable, event-driven, and fault-tolerant systems on AWS.</p> aws sqs webdev