Forem: Cao Duy Khanh The latest articles on Forem by Cao Duy Khanh (@khanhcd92). https://forem.com/khanhcd92 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F553394%2F3315b30a-38ef-4d8e-9d8b-768d59f24d12.jpeg Forem: Cao Duy Khanh https://forem.com/khanhcd92 en Static Analysis for CloudFormation Cao Duy Khanh Wed, 29 Dec 2021 17:38:27 +0000 https://forem.com/khanhcd92/static-analysis-for-cloud-formation-1lk5 https://forem.com/khanhcd92/static-analysis-for-cloud-formation-1lk5 <p>To satisfy CloudFormation is well, we should apply static analysis tool for it.<br> Today, I would like 2 static analysis tools:</p> <ul> <li> <a href="https://github.com/aws-cloudformation/cfn-lint">cfn-lint</a>: Verify that the template is correct.</li> <li> <a href="https://github.com/stelligent/cfn_nag">cfn-nag</a>: Verify that there is no code that poses a security risk.</li> </ul> <h2> Sections </h2> <ul> <li>Setup</li> <li>cfn-lint Usage</li> <li>cfn_nag Usage</li> </ul> <h2> Setup </h2> <ul> <li>cfn-lint </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>cfn-lint </code></pre> </div> <ul> <li>cfn_nag </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gem <span class="nb">install </span>cfn-nag </code></pre> </div> <ul> <li>setup cloudformation template with name s3.yml </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">S3 Cloudformation Template</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">EnvironmentStage</span><span class="pi">:</span> <span class="na">AllowedValues</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Dev"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Stg"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">Prod"</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Dev"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Environment</span><span class="nv"> </span><span class="s">Dev,</span><span class="nv"> </span><span class="s">Staging,</span><span class="nv"> </span><span class="s">Production"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">WebCmsOAI</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::CloudFrontOriginAccessIdentity</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CloudFrontOriginAccessIdentityConfig</span><span class="pi">:</span> <span class="na">Comment</span><span class="pi">:</span> <span class="s">Origin Access Identity for Web Cms S3 Bucket</span> <span class="na">WebCmsBucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-web-cms'</span> <span class="na">CorsConfiguration</span><span class="pi">:</span> <span class="na">CorsRules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AllowedHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">AllowedMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GET</span> <span class="pi">-</span> <span class="s">PUT</span> <span class="na">AllowedOrigins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">MaxAge</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">WebsiteConfiguration</span><span class="pi">:</span> <span class="na">ErrorDocument</span><span class="pi">:</span> <span class="s">index.html</span> <span class="na">IndexDocument</span><span class="pi">:</span> <span class="s">index.html</span> <span class="na">WebCmsBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">WebCmsBucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">WebCmsBucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">s3:GetObject'</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:s3:::${AWS::StackName}-web-cms/*'</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">CanonicalUser</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">WebCmsOAI.S3CanonicalUserId</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">WebCmsBucket</span><span class="pi">:</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">WebCmsBucket</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-WebCmsBucket'</span> <span class="na">WebCmsBucketEndpoint</span><span class="pi">:</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">-</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="pi">-</span> <span class="s">WebCmsBucket</span> <span class="pi">-</span> <span class="s">RegionalDomainName</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-WebCmsBucketEndpoint'</span> <span class="na">WebCmsOAI</span><span class="pi">:</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">WebCmsOAI</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${AWS::StackName}-WebCmsOAI</span> </code></pre> </div> <h2> cfn-lint Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> cfn-lint s3.yml W2001 Parameter EnvironmentStage not used. s3.yml:7:3 W3005 Obsolete DependsOn on resource <span class="o">(</span>WebCmsBucket<span class="o">)</span>, dependency already enforced by a <span class="s2">"Ref"</span> at Resources/PublicCMSWebsitePolicy/Properties/Bucket/Ref s3.yml:46:5 </code></pre> </div> <p>As you can see, cfn-lint output covers all 2 issues that we previously highlighted in the form of warnings and errors. Errors indicate issues that will prevent your CloudFormation stack from deploying, and warnings indicate potential issues in your stack that you might want to think about.</p> <p>cfn-lint also comes with extensive configuration support which allows you to customise your linting rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">WebCmsBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">WebCmsBucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">WebCmsBucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">s3:GetObject'</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:s3:::${AWS::StackName}-web-cms/*'</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">CanonicalUser</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">WebCmsOAI.S3CanonicalUserId</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">cfn-lint</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">ignore_checks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">W3005</span> </code></pre> </div> <h2> cfn_nag Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> cfn_nag_scan <span class="nt">-i</span> s3.yml <span class="nt">------------------------------------------------------------</span> s3.yml <span class="nt">------------------------------------------------------------------------------------------------------------------------</span> | WARN W35 | | Resource: <span class="o">[</span><span class="s2">"WebCmsBucket"</span><span class="o">]</span> | Line Numbers: <span class="o">[</span>25] | | S3 Bucket should have access logging configured <span class="nt">------------------------------------------------------------</span> | WARN W41 | | Resource: <span class="o">[</span><span class="s2">"WebCmsBucket"</span><span class="o">]</span> | Line Numbers: <span class="o">[</span>25] | | S3 Bucket should have encryption option <span class="nb">set </span>Failures count: 0 Warnings count: 2 </code></pre> </div> <p>As you can see, cfn_nag output covers all 2 issues that we previously highlighted in the form of warnings and failures. These issues that will prevent your CloudFormation stack from security risks</p> <p>cfn_nag also comes with extensive configuration support which allows you to customise your rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">WebCmsBucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}-web-cms'</span> <span class="na">CorsConfiguration</span><span class="pi">:</span> <span class="na">CorsRules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AllowedHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">AllowedMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GET</span> <span class="pi">-</span> <span class="s">PUT</span> <span class="na">AllowedOrigins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">MaxAge</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">WebsiteConfiguration</span><span class="pi">:</span> <span class="na">ErrorDocument</span><span class="pi">:</span> <span class="s">index.html</span> <span class="na">IndexDocument</span><span class="pi">:</span> <span class="s">index.html</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">cfn_nag</span><span class="pi">:</span> <span class="na">rules_to_suppress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">W35</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Test</span><span class="nv"> </span><span class="s">ignore</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">Bucket</span><span class="nv"> </span><span class="s">should</span><span class="nv"> </span><span class="s">have</span><span class="nv"> </span><span class="s">access</span><span class="nv"> </span><span class="s">logging</span><span class="nv"> </span><span class="s">configured"</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">W41</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Test</span><span class="nv"> </span><span class="s">ignore</span><span class="nv"> </span><span class="s">rule</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">Bucket</span><span class="nv"> </span><span class="s">should</span><span class="nv"> </span><span class="s">have</span><span class="nv"> </span><span class="s">encryption</span><span class="nv"> </span><span class="s">option</span><span class="nv"> </span><span class="s">set"</span> </code></pre> </div> aws cloudformation cfnlint cfnnag Nginx + Private S3 Cao Duy Khanh Sat, 07 Aug 2021 17:12:45 +0000 https://forem.com/khanhcd92/nginx-private-s3-515h https://forem.com/khanhcd92/nginx-private-s3-515h <p>How can I view photos on private S3. Today I will show how we can do it with Nginx on AWS. We first need to set up something like below:</p> <ul> <li>VPC(10.0.0.0/16) with a public subnet and a private subnet</li> <li>VPC Endpoint for s3</li> <li>A static web on ECS Fargate with Nginx</li> <li>Private S3 Bucket which store images of application <img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05us8i6mizmix2uuorzv.png" alt="Alt Text"> </li> </ul> <p>We will have a static web like below with an image loaded from the internet.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpng7yocawiei3d2ix764.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpng7yocawiei3d2ix764.png" alt="Alt Text"></a></p> <p>I have an image which store on S3. So I want to own static web will view that image.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp3ore320m60h17spwuhi.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp3ore320m60h17spwuhi.jpg" alt="Alt Text"></a></p> <p>Now I will go into setting specific sections.</p> <p>(1) First we will need to update S3's bucket policy to only allow viewing of images from the vpc endpoint.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::demo-static-s3/*", "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-0d92e50f230bc8070" } } } ] } </code></pre> </div> <p>(2) Next we will configure Nginx to be able to view images from S3 as shown below.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> location ~^/image/(.+)$ { resolver 10.0.0.2; proxy_pass http://s3-ap-southeast-1.amazonaws.com/demo-static-s3/image/$1; } </code></pre> </div> <ul> <li> <strong>resolver</strong>: IP address of the DNS server in your AWS VPC</li> </ul> <p>I have VPC with CIDR range is 10.0.0.0/16. So IP address of the DNS server is 10.0.0.2 =&gt; Resolver is 10.0.0.2</p> <blockquote> <p>10.0.0.0: Network address.<br> 10.0.0.1: Reserved by AWS for the VPC router.<br> 10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.<br> 10.0.0.3: Reserved by AWS for future use.<br> 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.</p> </blockquote> <p>Refer: <a href="https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html" rel="noopener noreferrer">https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html</a></p> <ul> <li> <strong>proxy_pass</strong>: s3 link</li> </ul> <p>Format: <a href="http://s3-ap-southeast-1.amazonaws.com/%5Bmain_bucket%5D/%5Bsub_bucket%5D/$1" rel="noopener noreferrer">http://s3-ap-southeast-1.amazonaws.com/[main_bucket]/[sub_bucket]/$1</a></p> <p>(3) Next I will change the html to load an image from s3 instead of an online image.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> &lt;div class="container"&gt; &lt;h1&gt;Hey there&lt;/h1&gt; &lt;img src="https://cleandevs.com/image/668c1d479e27bb8750823655c83a6c9bd90263f9_hq.jpg"/&gt; &lt;/div&gt; </code></pre> </div> <p>(4) Finally, I will deploy to ECS Fargate. The result you will see is as below.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rlvx1c90sp62fqfbyr2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3rlvx1c90sp62fqfbyr2.png" alt="Alt Text"></a></p> <p>It is able to solution to view images from S3 without using CloudFront.</p> nginx aws s3 cloudfront How to config Gitlab CI just checks commit changed files Cao Duy Khanh Thu, 05 Aug 2021 13:32:21 +0000 https://forem.com/khanhcd92/how-to-config-gitlab-ci-just-checks-commit-changed-files-1kab https://forem.com/khanhcd92/how-to-config-gitlab-ci-just-checks-commit-changed-files-1kab <p><strong>[Background]</strong><br> I have a Python project with config CI on Gitlab. It has a lint stage which will check code quality of all source code when push event or merge request event is triggered. It will take time to check all source code with merge request. And it will not focus on code quality of merge request. It should check code quality on commit change files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pylint</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">mkdir -p public/badges public/lint</span> <span class="pi">-</span> <span class="s">echo undefined &gt; public/badges/$CI_JOB_NAME.score</span> <span class="pi">-</span> <span class="s">pip install pylint-gitlab</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pip install -r requirements.txt</span> <span class="pi">-</span> <span class="s">pylint --rcfile=.pylintrc --exit-zero --output-format=text $(find -type f -name "*.py" ! -path "**/.venv/**") | tee /tmp/pylint.txt</span> <span class="pi">-</span> <span class="s">sed -n 's/^Your code has been rated at \([-0-9.]*\)\/.*/\1/p' /tmp/pylint.txt &gt; public/badges/$CI_JOB_NAME.score</span> <span class="pi">-</span> <span class="s">pylint --exit-zero --output-format=pylint_gitlab.GitlabCodeClimateReporter $(find -type f -name "*.py" ! -path "**/.venv/**") &gt; codeclimate.json</span> <span class="pi">-</span> <span class="s">pylint --exit-zero --output-format=pylint_gitlab.GitlabPagesHtmlReporter $(find -type f -name "*.py" ! -path "**/.venv/**") &gt; public/lint/index.html</span> <span class="na">after_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">anybadge --overwrite --label $CI_JOB_NAME --value=$(cat public/badges/$CI_JOB_NAME.score) --file=public/badges/$CI_JOB_NAME.svg 4=red 6=orange 8=yellow 10=green</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">echo "Your score is: $(cat public/badges/$CI_JOB_NAME.score)"</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">public</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">codequality</span><span class="pi">:</span> <span class="s">codeclimate.json</span> <span class="na">when</span><span class="pi">:</span> <span class="s">always</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">develop</span> <span class="pi">-</span> <span class="s">merge_requests</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker</span> </code></pre> </div> <p><strong>[Solution]</strong><br> Here is a solution to resolve my problems.<br> I will create another config pylint for merge request event. It just check code quality on commit changed files compare with merge request target branch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pylint_merge_request</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">lint</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pip install pylint-gitlab</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo CI_COMMIT_SHA=${CI_COMMIT_SHA}</span> <span class="pi">-</span> <span class="s">echo CI_MERGE_REQUEST_TARGET_BRANCH_NAME=${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}</span> <span class="pi">-</span> <span class="s">git fetch origin ${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}</span> <span class="pi">-</span> <span class="s">FILES=$(git diff --name-only ${CI_COMMIT_SHA} origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME} | grep '\.py'$)</span> <span class="pi">-</span> <span class="s">echo "Changed files are $FILES"</span> <span class="pi">-</span> <span class="s">pip install -r requirements.txt</span> <span class="pi">-</span> <span class="s">pylint --rcfile=.pylintrc --output-format=text $FILES | tee /tmp/pylint.txt</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">merge_requests</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker</span> </code></pre> </div> <p>I hope it is helpful for everyone. You can use it for other programing languages on Gitlab.</p> gitlab python devops How to Free AWS Lambda Code Storage when Limit Exceeded Cao Duy Khanh Wed, 28 Apr 2021 21:08:52 +0000 https://forem.com/khanhcd92/how-to-free-aws-lambda-code-storage-when-limit-exceeded-3k81 https://forem.com/khanhcd92/how-to-free-aws-lambda-code-storage-when-limit-exceeded-3k81 <p>Use the following <a href="https://github.com/khanhcd92/clear-lambda-storage-nodejs">open-source tool</a> on GitHub.</p> <p>You are already up and running with AWS Lambda for several months, and all of a sudden you get the following error: </p> <p><strong><em>An error occurred: TestDashdeliveryLambdaFunction – Code storage limit exceeded. (Service: AWSLambda; Status Code: 400; Error Code: CodeStorageExceededException; Request ID: 05d3ae68-e7f6-11e8-948e-41c27396380e).</em></strong></p> <h3> Why is it happening? </h3> <p>AWS limits the amount of “code storage” it saves on their internal S3 for Lambda functions of up to 75GB.</p> <p>Although it sounds like a lot of space, you can easily exceed that storage limit. In case you’re using the Serverless Framework, its default is to store a version for every deployment you make. It’s also affected by the programming language you are using.</p> <h3> Solving the issue </h3> <p>If you don’t need to store a version for each deployment (like many of us), you can easily cancel it with the following addition to your serverless.yml file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>provider: name: aws runtime: nodejs14.x versionFunctions: false region: ${opt:region, 'us-east-1'} stage: ${opt:stage, 'dev'} </code></pre> </div> <p>Adding the versionFunctions: false parameter will cancel the version storing.</p> <h3> clear-lambda-storage: auto-clean old versions </h3> <p>If you prefer to keep older versions (e.g. for being able to rollback quickly), you’ll need to manually clean old ones. This time it’s the clear-lambda-storage. As simple as it sounds, it will take care of removing old and unused versions (i.e. that are neither currently deployed nor $LATEST) from every Lambda function, and from every region. Running it is very simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone https://github.com/khanhcd92/clear-lambda-storage-nodejs.git cd clear-lambda-storage-nodejs/ npm i node index.js </code></pre> </div> <h3> Advanced usage </h3> <p>Provide credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">node</span> <span class="nx">index</span><span class="p">.</span><span class="nx">js</span> <span class="o">--</span><span class="nx">access</span><span class="o">-</span><span class="nx">key</span> <span class="o">&lt;</span><span class="nx">access_key_id</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">secret</span><span class="o">-</span><span class="nx">key</span> <span class="o">&lt;</span><span class="nx">secret_access_key</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">num</span><span class="o">-</span><span class="nx">to</span><span class="o">-</span><span class="nx">keep</span> <span class="o">&lt;</span><span class="nx">number</span><span class="o">&gt;</span> </code></pre> </div> <p>Provide credentials with one region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">node</span> <span class="nx">index</span><span class="p">.</span><span class="nx">js</span> <span class="o">--</span><span class="nx">access</span><span class="o">-</span><span class="nx">key</span> <span class="o">&lt;</span><span class="nx">access_key_id</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">secret</span><span class="o">-</span><span class="nx">key</span> <span class="o">&lt;</span><span class="nx">secret_access_key</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">num</span><span class="o">-</span><span class="nx">to</span><span class="o">-</span><span class="nx">keep</span> <span class="o">&lt;</span><span class="nx">number</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">regions</span> <span class="o">&lt;</span><span class="nx">region_code</span><span class="o">&gt;</span> </code></pre> </div> <p>Provide profile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">node</span> <span class="nx">index</span><span class="p">.</span><span class="nx">js</span> <span class="o">--</span><span class="nx">profile</span> <span class="o">&lt;</span><span class="nx">profile_id</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">num</span><span class="o">-</span><span class="nx">to</span><span class="o">-</span><span class="nx">keep</span> <span class="o">&lt;</span><span class="nx">number</span><span class="o">&gt;</span> </code></pre> </div> <p>Provide profile with one region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">node</span> <span class="nx">index</span><span class="p">.</span><span class="nx">js</span> <span class="o">--</span><span class="nx">profile</span> <span class="o">&lt;</span><span class="nx">profile_id</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">num</span><span class="o">-</span><span class="nx">to</span><span class="o">-</span><span class="nx">keep</span> <span class="o">&lt;</span><span class="nx">number</span><span class="o">&gt;</span> <span class="o">--</span><span class="nx">regions</span> <span class="o">&lt;</span><span class="nx">region_code</span><span class="o">&gt;</span> </code></pre> </div> aws serverless node How to resolve issue Access Denied between S3 and CloudFront Cao Duy Khanh Sun, 14 Feb 2021 03:56:05 +0000 https://forem.com/khanhcd92/how-to-resolve-issue-access-denied-between-s3-and-cloudfront-1i39 https://forem.com/khanhcd92/how-to-resolve-issue-access-denied-between-s3-and-cloudfront-1i39 <p>I have setup S3 to store image files and access them through CloudFront. But I have an error <strong>Access Denied</strong> and link CloudFront was redirect to S3 link as below image:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fb6rh4x2dm1p2xjjeu47q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fb6rh4x2dm1p2xjjeu47q.png" alt="Alt Text"></a></p> <p>The root cause of issue relates to <strong><em>“Requests made with the legacy global endpoint go to US East (N. Virginia) by default.”</em></strong></p> <p><strong>Refer:</strong> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html</a></p> <p>To fix this issue, we need to back to setup CloudFront before.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F7dwh16sc91va5yfpk9h3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F7dwh16sc91va5yfpk9h3.png" alt="Alt Text"></a><br> Normally, we will select own s3 bucket which contains static files on dropdown list. In this case, endpoint is format as:<code>&lt;bucket&gt;.s3.amazonaws.com</code><br> This endpoint is global endpoint. We need to change to region endpoint then issue will be fixed. The region endpoint format as: <code>&lt;bucket&gt;.s3-&lt;region&gt;.amazonaws.com</code><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F7opchld0dr4qic1dqc3k.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F7opchld0dr4qic1dqc3k.png" alt="Alt Text"></a><br> The result as below<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9m8a7tm3sxn3oxb0gnxc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F9m8a7tm3sxn3oxb0gnxc.png" alt="Alt Text"></a></p> aws s3 cloudfront