The latest articles on Forem by DarkEdges (@darkedges). https://forem.com/darkedges https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1396307%2F1b5a1a60-77b1-40cd-89e3-0cfb704caf5a.jpeg https://forem.com/darkedges en DarkEdges Wed, 03 Dec 2025 19:39:08 +0000 https://forem.com/darkedges/enriching-vault-oidc-tokens-with-spiffe-identity-metadata-using-terraform-314g https://forem.com/darkedges/enriching-vault-oidc-tokens-with-spiffe-identity-metadata-using-terraform-314g <p>In modern microservices architectures, machine identity is just as critical as human identity. When services communicate, they often need to prove not just <em>who</em> they are, but <em>what</em> they are—their environment, business unit, or SPIFFE ID.</p> <p>HashiCorp Vault is excellent for this. Its Identity Secrets Engine can issue OIDC tokens that serve as verifiable credentials for your workloads. However, getting those tokens to contain rich, custom metadata requires connecting a few specific dots: <strong>AppRole</strong>, <strong>Identity Entities</strong>, and <strong>OIDC Templates</strong>.</p> <p>In this article, I'll walk through how to implement a robust machine identity pipeline using Terraform, where an application authenticates via AppRole and receives an OIDC token enriched with custom metadata.</p> <h2> The Goal </h2> <p>We want an application (e.g., a "ChatBot") to:</p> <ol> <li>Authenticate to Vault using the <strong>AppRole</strong> method.</li> <li>Request an <strong>OIDC token</strong>.</li> <li>Receive a token containing custom claims like <code>spiffe_id</code>, <code>business_unit</code>, and <code>environment</code>.</li> </ol> <h2> Step 1: Define the Identity Entity </h2> <p>First, we define the "who". In Vault, an <strong>Entity</strong> represents a unique identity. This is where we store the metadata we want to eventually see in our token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># identities.tf</span> <span class="nx">resource</span> <span class="s2">"vault_identity_entity"</span> <span class="s2">"application"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">application_identities_map</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="c1"># This metadata is what we'll inject into the token later</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">identity</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">business_unit</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">identity</span><span class="p">.</span><span class="nx">business_unit</span> <span class="nx">spiffe_id</span> <span class="p">=</span> <span class="s2">"spiffe://vault/application/${each.value.identity.environment}/${each.value.identity.business_unit}/${each.value.identity.name}"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 2: Configure AppRole Authentication </h2> <p>Next, we configure the <strong>AppRole</strong> auth backend. This is the standard way for machines to authenticate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># approle.tf</span> <span class="nx">resource</span> <span class="s2">"vault_approle_auth_backend_role"</span> <span class="s2">"applications"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">application_identities_map</span> <span class="nx">backend</span> <span class="p">=</span> <span class="nx">vault_auth_backend</span><span class="p">.</span><span class="nx">approle</span><span class="p">.</span><span class="nx">path</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">token_ttl</span> <span class="p">=</span> <span class="mi">3600</span> <span class="nx">bind_secret_id</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h3> The "Secret Sauce": Binding AppRole to the Entity </h3> <p>This is the most critical step. By default, when you log in with AppRole, Vault creates a generic entity for that role. To use our custom metadata defined in Step 1, we must explicitly bind the AppRole to our specific Entity using an <strong>Entity Alias</strong>.</p> <p><strong>Important Gotcha:</strong> When creating an alias for AppRole, the <code>name</code> of the alias must be the <strong>Role ID</strong>, not the Role Name.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># approle.tf</span> <span class="nx">resource</span> <span class="s2">"vault_identity_entity_alias"</span> <span class="s2">"approle_applications"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">application_identities_map</span> <span class="c1"># CRITICAL: Use role_id, not role_name</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">vault_approle_auth_backend_role</span><span class="p">.</span><span class="nx">applications</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">role_id</span> <span class="nx">mount_accessor</span> <span class="p">=</span> <span class="nx">vault_auth_backend</span><span class="p">.</span><span class="nx">approle</span><span class="p">.</span><span class="nx">accessor</span> <span class="nx">canonical_id</span> <span class="p">=</span> <span class="nx">vault_identity_entity</span><span class="p">.</span><span class="nx">application</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>We also need to ensure the AppRole inherits the entity's properties. We can enforce this via a generic endpoint configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"vault_generic_endpoint"</span> <span class="s2">"approle_entity_inherit"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">application_identities_map</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">vault_approle_auth_backend_role</span><span class="p">.</span><span class="nx">applications</span><span class="p">]</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"auth/approle/role/${each.key}"</span> <span class="nx">data_json</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">entity_alias_sole_inherit</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Configure the OIDC Template </h2> <p>Finally, we configure the OIDC provider and role. The <code>template</code> field is where the magic happens. We use Vault's template syntax to pull values dynamically from the authenticated entity's metadata.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># identity_tokens.tf</span> <span class="nx">resource</span> <span class="s2">"vault_identity_oidc_role"</span> <span class="s2">"application_identity"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"application_identity"</span> <span class="nx">key</span> <span class="p">=</span> <span class="nx">vault_identity_oidc_key</span><span class="p">.</span><span class="nx">application_identity</span><span class="p">.</span><span class="nx">name</span> <span class="nx">client_id</span> <span class="p">=</span> <span class="s2">"spiffe://vault.darkedges.au/gateway"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">86400</span> <span class="c1"># The Template: Injecting metadata into the JSON payload</span> <span class="nx">template</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOT</span><span class="sh"> { "azp": {{identity.entity.metadata.spiffe_id}}, "nbf": {{time.now}}, "groups": {{identity.entity.groups.names}}, "appinfo": { "business_unit": {{identity.entity.metadata.business_unit}}, "environment": {{identity.entity.metadata.environment}} } } </span><span class="no">EOT </span><span class="p">}</span> </code></pre> </div> <h2> Step 4: Testing the Flow </h2> <p>Now, let's see it in action. We'll use PowerShell to simulate the application workflow.</p> <h3> 1. Get Credentials &amp; Login </h3> <p>First, we retrieve the Role ID and Secret ID, then authenticate to get a Vault token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Get Role ID and Secret ID</span><span class="w"> </span><span class="nv">$ROLE_ID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">docker-compose</span><span class="w"> </span><span class="nx">exec</span><span class="w"> </span><span class="nx">vault</span><span class="w"> </span><span class="nx">vault</span><span class="w"> </span><span class="nx">read</span><span class="w"> </span><span class="nt">-field</span><span class="o">=</span><span class="n">role_id</span><span class="w"> </span><span class="nx">auth/approle/role/ChatBot/role-id</span><span class="w"> </span><span class="nv">$SECRET_ID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">docker-compose</span><span class="w"> </span><span class="nx">exec</span><span class="w"> </span><span class="nx">vault</span><span class="w"> </span><span class="nx">vault</span><span class="w"> </span><span class="nx">write</span><span class="w"> </span><span class="nt">-f</span><span class="w"> </span><span class="nt">-field</span><span class="o">=</span><span class="n">secret_id</span><span class="w"> </span><span class="nx">auth/approle/role/ChatBot/secret-id</span><span class="w"> </span><span class="c"># Login</span><span class="w"> </span><span class="nv">$APPTOKEN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">docker-compose</span><span class="w"> </span><span class="nx">exec</span><span class="w"> </span><span class="nx">vault</span><span class="w"> </span><span class="nx">vault</span><span class="w"> </span><span class="nx">write</span><span class="w"> </span><span class="nt">-field</span><span class="o">=</span><span class="n">token</span><span class="w"> </span><span class="nx">auth/approle/login</span><span class="w"> </span><span class="nx">role_id</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROLE_ID</span><span class="s2">"</span><span class="w"> </span><span class="n">secret_id</span><span class="o">=</span><span class="s2">"</span><span class="nv">$SECRET_ID</span><span class="s2">"</span><span class="w"> </span></code></pre> </div> <h3> 2. Request the OIDC Token </h3> <p>Using the Vault token we just got, we request the OIDC token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$OIDC_TOKEN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">docker-compose</span><span class="w"> </span><span class="nx">exec</span><span class="w"> </span><span class="nt">-e</span><span class="w"> </span><span class="nx">VAULT_TOKEN</span><span class="o">=</span><span class="s2">"</span><span class="nv">$APPTOKEN</span><span class="s2">"</span><span class="w"> </span><span class="n">vault</span><span class="w"> </span><span class="nx">vault</span><span class="w"> </span><span class="nx">read</span><span class="w"> </span><span class="nt">-field</span><span class="o">=</span><span class="n">token</span><span class="w"> </span><span class="nx">identity/oidc/token/application_identity</span><span class="w"> </span></code></pre> </div> <h3> 3. The Result </h3> <p>When we decode the JWT, we see our rich metadata is successfully populated!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"appinfo"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"business_unit"</span><span class="p">:</span><span class="w"> </span><span class="s2">"engineering"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"spiffe://vault.darkedges.au/gateway"</span><span class="p">,</span><span class="w"> </span><span class="nl">"azp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"spiffe://vault/application/production/engineering/ChatBot"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1764848993</span><span class="p">,</span><span class="w"> </span><span class="nl">"groups"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ChatBot group"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1764762593</span><span class="p">,</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://vault.darkedges.au/v1/identity/oidc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ea0e0006-d4f5-cbde-3cb6-c013d4dba5f2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Conclusion </h2> <p>By combining <strong>Identity Entities</strong>, <strong>AppRole Aliases</strong>, and <strong>OIDC Templates</strong>, we've turned Vault into a powerful identity provider for our internal services. This setup allows downstream systems (like API gateways or service meshes) to make authorization decisions based on trusted, verifiable metadata like <code>business_unit</code> or <code>environment</code>, rather than just a raw IP address or generic token.</p> <p>a complete example is available at <a href="https://github.com/darkedges/spiffe-vault-terraform" rel="noopener noreferrer">https://github.com/darkedges/spiffe-vault-terraform</a></p> <h2> Inspiration </h2> <ul> <li><a href="https://github.com/ausmartway/vault-config-as-code" rel="noopener noreferrer">https://github.com/ausmartway/vault-config-as-code</a></li> <li><a href="https://medium.com/macquarie-engineering-blog/embracing-modern-identity-with-spiffe-and-hashicorp-vault-a-macquarie-bank-journey-9f17ae748f82" rel="noopener noreferrer">https://medium.com/macquarie-engineering-blog/embracing-modern-identity-with-spiffe-and-hashicorp-vault-a-macquarie-bank-journey-9f17ae748f82</a></li> </ul> devops security terraform DarkEdges Fri, 07 Nov 2025 09:06:41 +0000 https://forem.com/darkedges/auto-detecting-csv-schemas-for-lightning-fast-clickhouse-ingestion-with-parquet-34d9 https://forem.com/darkedges/auto-detecting-csv-schemas-for-lightning-fast-clickhouse-ingestion-with-parquet-34d9 <p>As a data engineer, one of the most repetitive tasks I face is ingesting data from CSV files. The problem isn't just loading the data; it's the ceremony that comes with it. Every time a new data source appears, I have to manually inspect the columns, define a table schema, and write a script to load it. What if the CSV has 100 columns? What if the data types are ambiguous? This process is tedious and error-prone.</p> <p>I wanted a better way. My goal was to create a Node.js script that could:</p> <ol> <li> <strong>Read any CSV file</strong> without prior knowledge of its structure.</li> <li> <strong>Auto-detect the schema</strong>, including column names and data types.</li> <li> <strong>Convert the CSV to Parquet</strong>, a highly efficient columnar storage format.</li> <li> <strong>Prepare for ingestion</strong> into ClickHouse, which loves Parquet.</li> </ol> <p>In this article, I'll walk you through the proof-of-concept I built to solve this exact problem.</p> <h2> Why Parquet and ClickHouse? </h2> <p><strong>ClickHouse</strong> is an open-source, column-oriented database built for speed. It's a beast for analytical queries (OLAP).</p> <p><strong>Apache Parquet</strong> is a columnar storage format. Instead of storing data in rows, it stores it in columns. This is a perfect match for ClickHouse because it allows the database to read only the columns it needs for a query, dramatically reducing I/O and speeding up performance.</p> <p>Combining the two means you get efficient storage and lightning-fast analytics.</p> <h2> The Concept: From CSV to Parquet </h2> <p>Our script will perform a three-step process:</p> <ol> <li> <strong>Schema Detection</strong>: Read the CSV headers and a few sample rows to infer the data type of each column (e.g., <code>string</code>, <code>number</code>, <code>boolean</code>).</li> <li> <strong>Data Transformation</strong>: Convert the raw string values from the CSV into their inferred types.</li> <li> <strong>Parquet Conversion</strong>: Write the transformed data and the detected schema into a new <code>.parquet</code> file.</li> </ol> <p>Let's start with a simple CSV file to demonstrate.</p> <h3> Our Example CSV: <code>sample-data.csv</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>id,first_name,last_name,email,is_active,created_at,balance 1,John,Doe,john.doe@example.com,true,2023-01-15T10:00:00Z,150.75 2,Jane,Smith,jane.smith@example.com,false,2023-02-20T11:30:00Z,200.00 3,Peter,Jones,peter.jones@example.com,true,2023-03-10T09:05:00Z,50.25 4,Mary,Williams,mary.w@example.com,true,2023-04-01T15:45:00Z,300.50 </code></pre> </div> <p>This file has a nice mix of data types: integers, strings, booleans, timestamps, and floating-point numbers.</p> <h2> Step 1: Setting Up the Project </h2> <p>First, let's set up a simple Node.js project and install the necessary libraries. We'll use <code>papaparse</code> for robust CSV parsing and <code>parquetjs</code> for writing Parquet files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init <span class="nt">-y</span> npm <span class="nb">install </span>papaparse parquetjs </code></pre> </div> <h2> Step 2: Auto-Detecting the Schema </h2> <p>This is the core of our solution. We need a function that can look at the string data from the CSV and make an educated guess about its real type.</p> <p>Here’s a simple type inference function. It checks if a value is a boolean, a number, or a date. If it's none of those, it defaults to a string.</p> <p><code>index.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Function to infer data type from a string value</span> <span class="kd">function</span> <span class="nf">inferType</span><span class="p">(</span><span class="nx">value</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">false</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">BOOLEAN</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isNaN</span><span class="p">(</span><span class="nx">value</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="o">!==</span> <span class="dl">''</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">DOUBLE</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Use DOUBLE for all numbers for simplicity</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isNaN</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">value</span><span class="p">)))</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">UTF8</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Dates will be stored as strings (UTF8)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">UTF8</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Default to string</span> <span class="p">}</span> </code></pre> </div> <p>Now, we can use this to build a schema from the CSV file. We'll read the first data row to infer the types for each column.</p> <p><code>index.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">papa</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">papaparse</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// ... inferType function from above ...</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">detectSchema</span><span class="p">(</span><span class="nx">filePath</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fileContent</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">filePath</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">papa</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">fileContent</span><span class="p">,</span> <span class="p">{</span> <span class="na">header</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">preview</span><span class="p">:</span> <span class="mi">1</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">errors</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error parsing CSV for schema detection.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">firstRecord</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">header</span> <span class="k">in</span> <span class="nx">firstRecord</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">firstRecord</span><span class="p">[</span><span class="nx">header</span><span class="p">];</span> <span class="nx">schema</span><span class="p">[</span><span class="nx">header</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nf">inferType</span><span class="p">(</span><span class="nx">value</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">schema</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>When we run <code>detectSchema('sample-data.csv')</code>, it will produce an object like this, which is exactly the format <code>parquetjs</code> needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DOUBLE"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"first_name"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UTF8"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"last_name"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UTF8"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UTF8"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"is_active"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"BOOLEAN"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UTF8"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"balance"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DOUBLE"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Step 3: Converting CSV to Parquet </h2> <p>With the schema detected, we can now read the entire CSV and write it to a Parquet file. The process involves:</p> <ol> <li> Creating a <code>ParquetSchema</code> and a <code>ParquetWriter</code>.</li> <li> Iterating through the CSV rows.</li> <li> Casting each value to its detected type (e.g., converting the string <code>"true"</code> to the boolean <code>true</code>).</li> <li> Appending the transformed row to the writer.</li> </ol> <p>Here's the code to bring it all together:</p> <p><code>index.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">ParquetSchema</span><span class="p">,</span> <span class="nx">ParquetWriter</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">parquetjs</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// ... detectSchema and inferType functions ...</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">convertCsvToParquet</span><span class="p">(</span><span class="nx">csvPath</span><span class="p">,</span> <span class="nx">parquetPath</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Detecting schema...</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">schemaDefinition</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">detectSchema</span><span class="p">(</span><span class="nx">csvPath</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ParquetSchema</span><span class="p">(</span><span class="nx">schemaDefinition</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">writer</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ParquetWriter</span><span class="p">.</span><span class="nf">openFile</span><span class="p">(</span><span class="nx">schema</span><span class="p">,</span> <span class="nx">parquetPath</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fileContent</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">csvPath</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">papa</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">fileContent</span><span class="p">,</span> <span class="p">{</span> <span class="na">header</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">skipEmptyLines</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Found </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> records. Converting to Parquet...`</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">row</span> <span class="k">of</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">processedRow</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">key</span> <span class="k">in</span> <span class="nx">row</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">value</span> <span class="o">=</span> <span class="nx">row</span><span class="p">[</span><span class="nx">key</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">type</span> <span class="o">=</span> <span class="nx">schemaDefinition</span><span class="p">[</span><span class="nx">key</span><span class="p">].</span><span class="nx">type</span><span class="p">;</span> <span class="c1">// Cast values to their proper types</span> <span class="k">if </span><span class="p">(</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">BOOLEAN</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">processedRow</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">DOUBLE</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">processedRow</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nf">parseFloat</span><span class="p">(</span><span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">processedRow</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nx">value</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">writer</span><span class="p">.</span><span class="nf">appendRow</span><span class="p">(</span><span class="nx">processedRow</span><span class="p">);</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">writer</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Parquet file written to </span><span class="p">${</span><span class="nx">parquetPath</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Run the conversion</span> <span class="nf">convertCsvToParquet</span><span class="p">(</span><span class="dl">'</span><span class="s1">sample-data.csv</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">output.parquet</span><span class="dl">'</span><span class="p">).</span><span class="k">catch</span><span class="p">(</span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">);</span> </code></pre> </div> <p>After running this script (<code>node index.js</code>), you'll have an <code>output.parquet</code> file ready for ClickHouse!</p> <h2> Step 4: Ingesting into ClickHouse </h2> <p>Now for the easy part. Ingesting the Parquet file into ClickHouse is incredibly simple. First, you need a table with a matching schema.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">my_data</span> <span class="p">(</span> <span class="n">id</span> <span class="n">Float64</span><span class="p">,</span> <span class="n">first_name</span> <span class="n">String</span><span class="p">,</span> <span class="n">last_name</span> <span class="n">String</span><span class="p">,</span> <span class="n">email</span> <span class="n">String</span><span class="p">,</span> <span class="n">is_active</span> <span class="nb">Boolean</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">String</span><span class="p">,</span> <span class="n">balance</span> <span class="n">Float64</span> <span class="p">)</span> <span class="n">ENGINE</span> <span class="o">=</span> <span class="n">MergeTree</span><span class="p">()</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">id</span><span class="p">;</span> </code></pre> </div> <p>Then, you can use the <code>clickhouse-client</code> to ingest the file directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>clickhouse-client <span class="nt">--query</span><span class="o">=</span><span class="s2">"INSERT INTO my_data FORMAT Parquet"</span> &lt; output.parquet </code></pre> </div> <p>ClickHouse reads the Parquet file's schema and streams the data directly into the table. It's fast, efficient, and requires no complex <code>INSERT</code> statements with tons_of_values.</p> <h2> Conclusion </h2> <p>By automating schema detection and converting CSVs to Parquet, we've created a powerful and reusable ETL pipeline. This approach saves a massive amount of time, reduces manual errors, and leverages the high-performance capabilities of both Parquet and ClickHouse.</p> <p>This proof-of-concept can be expanded with more robust type detection, error handling, and integration into a larger data workflow, but it's a fantastic starting point for streamlining your data ingestion process.</p> node dataengineering database automation DarkEdges Fri, 22 Aug 2025 04:25:24 +0000 https://forem.com/darkedges/uprading-ping-identity-platform-to-800-5hj2 https://forem.com/darkedges/uprading-ping-identity-platform-to-800-5hj2 <h2> Ping AM </h2> <h3> Issue with new config when running amupgrade </h3> <p>The following appears to be added in the wrong place with incorrect details</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp4tpzznv2vkzhvpujow.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp4tpzznv2vkzhvpujow.png" alt=" " width="354" height="106"></a></p> <h3> Error on Startup after migration </h3> <p>When PingAM Starts and you attempt to connect it fails with this in the log.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dfq-am | {"timestamp":"2025-08-22T04:24:20.258Z","level":"WARN","thread":"http-nio-8080-exec-10","mdc":{"transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-38"},"logger":"org.forgerock.openam.core.realms.impl.DefaultRealmLookup","message":"DefaultRealms:lookup Unable to find Org name for: serverinfo","context":"default","transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-38"} dfq-am | {"timestamp":"2025-08-22T04:24:20.397Z","level":"WARN","thread":"http-nio-8080-exec-2","mdc":{"transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-43"},"logger":"org.forgerock.openam.core.realms.impl.DefaultRealmLookup","message":"DefaultRealms:lookup Unable to find Org name for: sessions","context":"default","transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-43"} dfq-am | {"timestamp":"2025-08-22T04:24:20.414Z","level":"WARN","thread":"http-nio-8080-exec-2","mdc":{"transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-43"},"logger":"com.sun.identity.monitoring.MonitoringServicesImpl","message":"JDMK runtime not found - Policy Monitoring disabled","context":"default","transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-43"} dfq-am | {"timestamp":"2025-08-22T04:24:20.523Z","level":"WARN","thread":"http-nio-8080-exec-2","mdc":{"transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-43"},"logger":"com.sun.identity.idm.plugins.internal.AgentsRepo","message":"AgentsRepo.getAgentGroupConfig: Unable to get Agent Group Config due to The instance agentgroup does not exist","context":"default","transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-43"} dfq-am | {"timestamp":"2025-08-22T04:24:20.637Z","level":"WARN","thread":"http-nio-8080-exec-1","mdc":{"transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-56"},"logger":"org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV2","message":"Authentication encountered an error: [Status: 401 Unauthorized]","context":"default","transactionId":"4a84d7a7-8b56-4819-b5c6-6adc4d215e2e-56"} </code></pre> </div> <p>it is missing the following entry in Ping DS<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dn: ou=agentgroup,ou=Instances,ou=1.0,ou=AgentService,ou=services,ou=am-config objectClass: top objectClass: sunServiceComponent objectClass: organizationalUnit ou: agentgroup sunserviceID: agentgroup </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwwju9qqnd87h7uu21wuk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwwju9qqnd87h7uu21wuk.png" alt=" " width="800" height="331"></a></p> DarkEdges Sat, 16 Aug 2025 06:34:34 +0000 https://forem.com/darkedges/creating-a-workflow-using-your-connector-54fk https://forem.com/darkedges/creating-a-workflow-using-your-connector-54fk <p>In order to use connector you need to </p> <ul> <li>Create a Connection</li> <li>Create a Flow</li> </ul> <h2> Create a Connection </h2> <ol> <li>Connect to your Okta Workflow instance.</li> <li>Select <code>Connections</code>.</li> <li>Under <code>Connections</code> click the <code>New Connection</code> icon.</li> <li>Select Your connector <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgnhwcpcpu44wbsen73e1.png" alt=" " width="545" height="192"> </li> <li>Provide the details and click the <code>Create</code> button. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzq9m3ydp0qsik3zvyf2c.png" alt=" " width="562" height="870"> </li> </ol> <h2> Create a Flow </h2> <ol> <li>Connect to your Okta Workflow instance.</li> <li>Select <code>Flows</code>.</li> <li>Click the <code>New Flow</code> button.</li> <li>In the <code>When this happens</code> block click <code>Add event</code> and select <code>API Endpoint</code>. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgjf5yvxnlobt0t3kbiig.png" alt=" " width="513" height="571"> </li> <li>Click <code>save</code> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmmp4m4iu95doy7gi7kmc.png" alt=" " width="504" height="337"> </li> <li>In the <code>Then do this</code> block click <code>Add function</code> to add functions.</li> <li>When finished it should look like. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyhuzuisi63dysihbxuq1.png" alt=" " width="800" height="273"> </li> <li>Save it as the name you want to display when selecting the action. Ensure you select ``</li> </ol> <h2> Test Flow </h2> <ol> <li>Click the <code>Run</code> button and click <code>Run</code> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhhw9sohmwam5leb9lrd.png" alt=" " width="370" height="460"> </li> <li>When it has completed the execution it should be successful. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj8hlcbqdfvgp114jvw4k.png" alt=" " width="800" height="239"> </li> <li>Open the flow directly and it should return similair to <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fanp4i309sxo9zfbpo7x5.png" alt=" " width="275" height="20"> </li> </ol> <p><code>`<br> {<br> "output": {<br> "length": 1<br> },<br> "statusCode": 200<br> }<br> `</code></p> DarkEdges Sat, 16 Aug 2025 06:33:53 +0000 https://forem.com/darkedges/creating-a-connector-using-the-okta-workflow-connector-builder-1l90 https://forem.com/darkedges/creating-a-connector-using-the-okta-workflow-connector-builder-1l90 <p>Okta Workflow is a no code development environment to create workflows to perform a large number of operations based on Connections. If there is not a Connector available you can create your own using their Connector Builder, and the best part is that you can try it out using their free Integration account.</p> <p>Okta workflow no code approach is drag and drop between functions / actions. Most functions have <code>Inputs</code> and <code>Outputs</code>, so you can drag an <code>Output</code> onto an <code>Input</code>. Once done you can highlight <code>Input</code> or <code>Output</code> to see the connection.</p> <p>For example:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fag8so80vga3287xu1dbs.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fag8so80vga3287xu1dbs.gif" alt=" " width="1100" height="725"></a></p> <p>Here are the basic steps.</p> <ol> <li>Create a Connector.</li> <li>Configure Authentication.</li> <li>Create a <code>httpHelper</code> flow - used by the connector to make requests using the connection Acces token.</li> <li>Create a <code>_pingAuth</code> flow - Validates the Access Token to see if it needs to be renewed.</li> <li>Create a <code>action</code> flow- Performs an operation that can be used in Flow.</li> <li>Deploy it</li> </ol> <h2> Create a Connector. </h2> <ol> <li>Connect to your Okta Workflow instance.</li> <li>Select <code>Connector Builder</code>.</li> <li>Under <code>Connectors</code> click the <code>+</code> icon.</li> <li>Provide the name for the connector and click the <code>Save</code> button.<img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpxywq1ni3uo8dh9zqgo.jpeg" alt=" " width="574" height="480"> </li> </ol> <h2> Configure Authentication. </h2> <ol> <li>Click the <code>Add Authentication</code> button and fill out the details <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjswa5ngdihpekcnwwcm8.png" alt=" " width="799" height="484"> </li> </ol> <h2> Create a Test Connection </h2> <ol> <li>Click <code>Test Connections</code> </li> <li>Click <code>+New Connection</code> </li> <li>Provide the details and click the <code>Create</code> button <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphr96iwgcyevgmf71mvg.png" alt=" " width="604" height="867"> </li> </ol> <h2> Create a <code>httpHelper</code> flo. </h2> <ol> <li>Select <code>Flows</code> </li> <li>Click <code>+New Flow</code> </li> <li>In the <code>When this happens</code> block click <code>Add event</code> and select <code>Helper Flow</code>. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx9rydl0p775r4gvzn8eb.png" alt=" " width="800" height="375"> </li> <li>In the <code>Then do this</code> block click <code>Add function</code> to add functions.</li> <li>When finished it should look like. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5oyxzh94m8vv8aunoux7.png" alt=" " width="800" height="252"> </li> <li>Save it as <code>httpHelper</code> </li> </ol> <h2> Create a <code>_pingAuth</code> flo. </h2> <ol> <li>Select <code>Flows</code> </li> <li>Click <code>+New Flow</code> </li> <li>In the <code>When this happens</code> block click <code>Add event</code> and select <code>Authping</code>. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnq3z96648g1en07tdkpn.png" alt=" " width="785" height="337"> </li> <li>In the <code>Then do this</code> block click <code>Add function</code> to add functions.</li> <li>When finished it should look like. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjavnhfhw3299k36sqhsb.png" alt=" " width="800" height="400"> </li> <li>Save it as <code>_authPing</code> </li> </ol> <h2> Create a <code>action</code> flo. </h2> <ol> <li>Select <code>Flows</code> </li> <li>Click <code>+New Flow</code> </li> <li>In the <code>When this happens</code> block click <code>Add event</code> and select <code>Action</code>. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdpy95o2n96zfjgbgc1d9.png" alt=" " width="776" height="547"> </li> <li>In the <code>Then do this</code> block click <code>Add function</code> to add functions.</li> <li>When finished it should look like. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fus21tjkz49ezoubqak5u.png" alt=" " width="800" height="561"> </li> <li>Save it as the name you want to display when selecting the action.</li> </ol> <h2> Deploy </h2> <ol> <li>Click <code>Deployment</code> </li> <li>Click <code>Validate connector</code> and then <code>Done</code> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffz5qjkkj81yx93zm3d0s.png" alt=" " width="250" height="85"> </li> <li>Click <code>Deploy test version</code> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd7h92luyjf80ur5jdmcg.png" alt=" " width="350" height="63"> </li> <li>Click <code>Deploy local connector</code> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm2ig8j3v3tqz2p11h7uq.png" alt=" " width="356" height="61"> </li> </ol> <p>That gets a connector deployed and ready for using in an actual flow.</p> DarkEdges Sat, 16 Aug 2025 02:09:24 +0000 https://forem.com/darkedges/finally-testing-the-solution-3bkb https://forem.com/darkedges/finally-testing-the-solution-3bkb <p>To recap, we have an Private Application Load Balancer, Fargate ECS Cluster and an AWS API Gateway v2. So know we can test the solution. </p> aws apigateway systemdesign testing DarkEdges Sat, 16 Aug 2025 02:06:00 +0000 https://forem.com/darkedges/deploying-the-aws-api-gateway-v2-to-localstack-49ab https://forem.com/darkedges/deploying-the-aws-api-gateway-v2-to-localstack-49ab <p>We are getting close to being able to test our solution, the final piece is the deployment of an AWS API Gateway v2 with an Authorizer that trusts Auth0 tokens.</p> <p>For this we will create a number of AWS Configurations</p> <ul> <li>API Gateway V2 will connect to the Fargate API Instance we deployed previously.</li> </ul> <p>This is a lot of configuration items so they are avaiable in the following branch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git switch apiv2 </code></pre> </div> <p>First we will plan and then apply the changes if that is green, by using the following commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform plan terraform apply --auto-approve </code></pre> </div> <p>Once it has been deployed you should get the following output<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>alb = "http://alb.elb.localhost.localstack.cloud:4566/" </code></pre> </div> <p>We will use this address in a future request to confirm the API has been deployed correctly.</p> DarkEdges Sat, 16 Aug 2025 02:01:06 +0000 https://forem.com/darkedges/deploying-api-via-aws-fargate-4noi https://forem.com/darkedges/deploying-api-via-aws-fargate-4noi <p>Now we have a Private Application Load Balancer deployed we can look at putting an API behind it. For this we will use an existing container image <code>darkedges/providerapi:1.0.2</code> which provides a basic API that we are going to serve via an AWS API Gateway V2 protected by an Auth0 Access Token.</p> <p>For this we will create a number of AWS Configurations</p> <ul> <li>ECS Cluster as our Fargate service.</li> <li>ECS Service Task to deploy the custom API Container</li> <li>ALB updates to link it al.</li> </ul> <p>This is a lot of configuration items so they are avaiable in the following branch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git switch fargate </code></pre> </div> <p>First we will plan and then apply the changes if that is green, by using the following commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform plan terraform apply --auto-approve </code></pre> </div> <p>Once it has been deployed you should get the following output<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>alb = "http://alb.elb.localhost.localstack.cloud:4566/" </code></pre> </div> <p>We will use this address in a future request to confirm the API has been deployed correctly.</p> DarkEdges Sat, 16 Aug 2025 00:49:39 +0000 https://forem.com/darkedges/deploying-an-alb-to-localstack-4b01 https://forem.com/darkedges/deploying-an-alb-to-localstack-4b01 <p>In the previous articles we stood up LocalStack and configured Terraform to plan a deployment. Next we will deploy an ALB to the platform and get its address so that we can use it in the next time.</p> <p>For this we will create a number of AWS Configurations</p> <ul> <li>VPC to deploy into.</li> <li>Networking to allow the ALB to be deployed and connect to the ECS instance.</li> <li>SecurityGroups to manage all the network egress / ingress between services.</li> <li>ALB the Application Load Balancer.</li> </ul> <p>This is a lot of configuration items so they are avaiable in the following branch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git switch alb </code></pre> </div> <p>First we will plan and then apply the changes if that is green, by using the following commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform plan terraform apply --auto-approve </code></pre> </div> <p>Once it has been deployed you should get the following output<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>alb = "http://alb.elb.localhost.localstack.cloud:4566/" </code></pre> </div> <p>We will use this address in a future request to confirm the API has been deployed correctly.</p> DarkEdges Fri, 15 Aug 2025 23:44:20 +0000 https://forem.com/darkedges/configuring-terraform-to-deploy-into-localstack-9jk https://forem.com/darkedges/configuring-terraform-to-deploy-into-localstack-9jk <p>From our previous article we have successfuly registered and deployed LocalStack. Now we are planning to deploy our API onto LocalStack using AWS Fargate via Terraform, but we need to deploy some supporting services first, such as the core Terraform configuration.</p> <h2> Terraform </h2> <p>We are going to be using terraform to manage our state so lets create the <code>terraform</code> directory and place the following file <code>_provider.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>provider "aws" { region = "us-east-1" access_key = "test" secret_key = "test" endpoints { acm = "http://localhost:4566" amplify = "http://localhost:4566" apigateway = "http://localhost:4566" apigatewayv2 = "http://localhost:4566" appconfig = "http://localhost:4566" applicationautoscaling = "http://localhost:4566" appsync = "http://localhost:4566" athena = "http://localhost:4566" autoscaling = "http://localhost:4566" backup = "http://localhost:4566" batch = "http://localhost:4566" cloudformation = "http://localhost:4566" cloudfront = "http://localhost:4566" cloudsearch = "http://localhost:4566" cloudtrail = "http://localhost:4566" cloudwatch = "http://localhost:4566" cloudwatchlogs = "http://localhost:4566" codecommit = "http://localhost:4566" cognitoidentity = "http://localhost:4566" cognitoidp = "http://localhost:4566" config = "http://localhost:4566" costexplorer = "http://localhost:4566" docdb = "http://localhost:4566" dynamodb = "http://localhost:4566" ec2 = "http://localhost:4566" ecr = "http://localhost:4566" ecs = "http://localhost:4566" efs = "http://localhost:4566" eks = "http://localhost:4566" elasticache = "http://localhost:4566" elasticbeanstalk = "http://localhost:4566" elasticsearch = "http://localhost:4566" elb = "http://localhost:4566" elbv2 = "http://localhost:4566" emr = "http://localhost:4566" events = "http://localhost:4566" firehose = "http://localhost:4566" glacier = "http://localhost:4566" glue = "http://localhost:4566" iam = "http://localhost:4566" iot = "http://localhost:4566" iotanalytics = "http://localhost:4566" iotevents = "http://localhost:4566" kafka = "http://localhost:4566" kinesis = "http://localhost:4566" kinesisanalytics = "http://localhost:4566" kinesisanalyticsv2 = "http://localhost:4566" kms = "http://localhost:4566" lakeformation = "http://localhost:4566" lambda = "http://localhost:4566" mediaconvert = "http://localhost:4566" mediastore = "http://localhost:4566" neptune = "http://localhost:4566" organizations = "http://localhost:4566" qldb = "http://localhost:4566" rds = "http://localhost:4566" redshift = "http://localhost:4566" redshiftdata = "http://localhost:4566" resourcegroups = "http://localhost:4566" resourcegroupstaggingapi = "http://localhost:4566" route53 = "http://localhost:4566" route53resolver = "http://localhost:4566" s3 = "http://s3.localhost.localstack.cloud:4566" s3control = "http://localhost:4566" sagemaker = "http://localhost:4566" secretsmanager = "http://localhost:4566" serverlessrepo = "http://localhost:4566" servicediscovery = "http://localhost:4566" ses = "http://localhost:4566" sesv2 = "http://localhost:4566" sns = "http://localhost:4566" sqs = "http://localhost:4566" ssm = "http://localhost:4566" stepfunctions = "http://localhost:4566" sts = "http://localhost:4566" swf = "http://localhost:4566" timestreamwrite = "http://localhost:4566" transfer = "http://localhost:4566" waf = "http://localhost:4566" wafv2 = "http://localhost:4566" xray = "http://localhost:4566" } default_tags { tags = { Environment = "Local" Service = "LocalStack" } } } terraform { required_providers { aws = { source = "hashicorp/aws" version = "5.100.0" } } } </code></pre> </div> <p>We can test it is working by performing the following<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform init terraform plan </code></pre> </div> <p>If all went well we should see</p> <h2> terraform init </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing the backend... Initializing provider plugins... - Finding hashicorp/aws versions matching "6.9.0"... - Installing hashicorp/aws v6.9.0... - Installed hashicorp/aws v6.9.0 (signed by HashiCorp) Terraform has created a lock file .terraform.lock.hcl to record the provider selections it made above. Include this file in your version control repository so that Terraform can guarantee to make the same selections by default when you run "terraform init" in the future. Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. </code></pre> </div> <h2> terraform plan </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. </code></pre> </div> DarkEdges Fri, 15 Aug 2025 22:45:27 +0000 https://forem.com/darkedges/protecting-an-api-with-aws-api-gateway-and-auth0-5ggb https://forem.com/darkedges/protecting-an-api-with-aws-api-gateway-and-auth0-5ggb <p>You have an API that you would like to protect with an OAuth Access Token from Auth0 using AWS API Gateway. Sounds simple enough, so lets do this using a local development environment thats hosts </p> <ul> <li>API - Deployed as a simple Go API Services using AWS Fargate</li> <li>API Gateway - Deployed using API Gateway V2</li> </ul> <p>Now this normally would require creating an AWS Account, but we are going to be using LocalStack which provide those services (and more) in a container that can be deployed locally. This way we can learn AWS without the costs (its not much anyway) by deploying the services via Terraform.</p> <h2> Pre-requisites </h2> <p>We are assuming that you have the following deployed locally</p> <ul> <li>Docker</li> <li>Terraform</li> <li>Visual Studio Code</li> <li>Git</li> </ul> <p>You will also need to sign up at <a href="https://app.localstack.cloud/sign-up" rel="noopener noreferrer">https://app.localstack.cloud/sign-up</a> to get an API Key that we need to run this stack.</p> <h2> Signup and New Instance </h2> <p>The following outlines the basic steps to get a localstack instance registered</p> <h3> Signup </h3> <ol> <li>Open <a href="https://app.localstack.cloud/sign-up" rel="noopener noreferrer">https://app.localstack.cloud/sign-up</a> </li> <li>Provide an email address and click <code>Continue</code>.</li> <li>Provide a password and click <code>Continue</code>.</li> <li>Provide your details and click <code>Start Trial</code>.</li> <li>Check your email and follow the instrucions provided to <code>Activate Account</code> </li> <li>When completed login using the details your provided earlier and click <code>Continue</code>.</li> </ol> <h3> Get Personal Auth Token </h3> <ol> <li>Go to <a href="https://app.localstack.cloud/settings/auth-tokens" rel="noopener noreferrer">https://app.localstack.cloud/settings/auth-tokens</a> </li> <li>Under Personal Auth Token click the <code>Copy</code> icon.</li> </ol> <h2> Deploying LocalStack </h2> <p>Create a file <code>docker-compose.yaml</code> with the following and replace <code>&lt;copy PAT here&gt;</code> with your PAT you copied earlier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>services: localstack: container_name: "lsa-localstack" image: localstack/localstack-pro:latest environment: LOCALSTACK_AUTH_TOKEN: &lt;copy PAT here&gt; ports: - "127.0.0.1:4566:4566" - "127.0.0.1:4510-4559:4510-4559" - "127.0.0.1:443:443" volumes: - "localstack:/var/lib/localstack:rw" - "/var/run/docker.sock:/var/run/docker.sock" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:4566/_localstack/health"] interval: 10s timeout: 5s retries: 5 start_period: 15s networks: localstack: aliases: - localstack volumes: localstack: networks: localstack: </code></pre> </div> <p>and deploy it using <code>docker compose up -d</code></p> <p>You can confirm it is working by going to <a href="https://app.localstack.cloud/inst/default/status" rel="noopener noreferrer">https://app.localstack.cloud/inst/default/status</a> and the services should be marked as <code>available</code></p> <h3> CLI </h3> <p>You can install a version of the AWS CLI that works with localstack by reviewing <a href="https://docs.localstack.cloud/aws/integrations/aws-native-tools/aws-cli/" rel="noopener noreferrer">https://docs.localstack.cloud/aws/integrations/aws-native-tools/aws-cli/</a></p> <p>That concludes this part. Next we configure Terraform and deploy our API Service into AWS Fargate.</p> webdev aws containers DarkEdges Tue, 22 Apr 2025 12:50:08 +0000 https://forem.com/darkedges/kind-wsl2-and-multus-5b9p https://forem.com/darkedges/kind-wsl2-and-multus-5b9p <p>All we wanted to do was install <code>kubevirt</code> create 3 Windows 2022 servers and have them talk to one another over a static IP Address. Simple we thought, Just tell the Virtual Machine to use a host-only IP Address and we are in the money.</p> <p>Firstly you cannot assign a second network interface unless it is another CNI implementation and secondly you need to install more black magic to make it work.</p> <p>That black magic is <a href="https://github.com/k8snetworkplumbingwg/multus-cni" rel="noopener noreferrer">https://github.com/k8snetworkplumbingwg/multus-cni</a></p> <h2> Step 0 - Install WSL2 and AlmaLinux 9 with docker </h2> <p>We will write a seperate guide on how to do this and update this one with a link to it. </p> <h2> Step 1 - Install kind </h2> <p>We are using <code>kind</code> as it is a supported version for <code>kubevirt</code> so we do that by creating a config file and using it in the deployment<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kind.x-k8s.io/v1alpha4</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Cluster</span> <span class="na">nodes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">control-plane</span> </code></pre> </div> <p>Then create the cluster using<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kind create cluster --name kubevirt --config=kind_config.yaml </span></code></pre> </div> <h2> Step 2 - Install Multus Daemonset </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/master/deployments/multus-daemonset-thick.yml </span></code></pre> </div> <h2> Step 3 - Install CNI plugins </h2> <p>First find the name of control plane<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get nodes </span></code></pre> </div> <p>which returns <code>kubevirt-control-plane</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME STATUS ROLES AGE VERSION kubevirt-control-plane Ready control-plane 51m v1.32.2 </span></code></pre> </div> <p>then connect to the control plane<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker exec -it kubevirt-control-plane sh </code></pre> </div> <p>to allow us to install the missing CNI Plugins<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">cd /tmp curl -L -o cni-plugins.tgz https://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-amd64-v1.6.2.tgz tar -C /opt/cni/bin -xzf cni-plugins.tgz rm -rf cni-plugins.tgz </span></code></pre> </div> <h2> Step 4 create a NetworkAttachmentDefinition </h2> <p>This is done through the following<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">cat &lt;&lt;EOF | kubectl create -f - apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: ipvlan-def spec: config: '{ "cniVersion": "0.3.1", "type": "ipvlan", "master": "eth0", "mode": "l2", "ipam": { "type": "host-local", "subnet": "192.168.200.0/24", "rangeStart": "192.168.200.201", "rangeEnd": "192.168.200.205", "gateway": "192.168.200.1" } }' EOF </span></code></pre> </div> <h2> Step 5 - Create some Pods with additional network interfaces </h2> <p>The following creates</p> <ul> <li>3 pods with additional Network Interfaces listing on <ul> <li> <code>192.168.200.201</code> - <code>multus-alpine</code> </li> <li> <code>192.168.200.202</code> - <code>multus-alpine-2</code> </li> <li> <code>192.168.200.203</code> - <code>net-pod</code> </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">cat &lt;&lt;EOF | kubectl create -f - --- apiVersion: v1 kind: Pod metadata: labels: app: multus-alpine name: multus-alpine namespace: default annotations: k8s.v1.cni.cncf.io/networks: '[ { "name" : "ipvlan-def", "interface": "eth1", "ips": ["192.168.200.201"] } ]' spec: containers: - name: multus-alpine image: jmalloc/echo-server restartPolicy: Always --- apiVersion: v1 kind: Pod metadata: labels: app: multus-alpine-2 name: multus-alpine-2 namespace: default annotations: k8s.v1.cni.cncf.io/networks: '[ { "name" : "ipvlan-def", "interface": "eth1", "ips": ["192.168.200.202"] } ]' spec: containers: - name: multus-alpine image: jmalloc/echo-server restartPolicy: Always --- apiVersion: v1 kind: Pod metadata: name: net-pod annotations: k8s.v1.cni.cncf.io/networks: '[ { "name" : "ipvlan-def", "interface": "eth1", "ips": ["192.168.200.203"] } ]' spec: containers: - name: netshoot-pod image: nicolaka/netshoot command: ["tail"] args: ["-f", "/dev/null"] terminationGracePeriodSeconds: 0 EOF </span></code></pre> </div> <h2> Step 6 - Test connectivity </h2> <p>Check that we are getting responses from both <code>multus-alpine</code> and <code>multus-alpine-2</code> from the <code>net-pod</code></p> <h3> multus-alpine </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl exec -it net-pod -- curl http://192.168.200.201:8080/ </span></code></pre> </div> <p>returns<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Request served by multus-alpine GET / HTTP/1.1 Host: 192.168.200.201:8080 Accept: */* User-Agent: curl/8.7.1 </span></code></pre> </div> <h3> multus-alpine-2 </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl exec -it net-pod -- curl http://192.168.200.202:8080/ </span></code></pre> </div> <p>returns<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Request served by multus-alpine-2 GET / HTTP/1.1 Host: 192.168.200.202:8080 Accept: */* User-Agent: curl/8.7.1 </span></code></pre> </div> kubernetes multus microsoft