The latest articles on Forem by Piotr Pabis (@ppabis). https://forem.com/ppabis https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1318014%2F38290fbe-cb90-48fd-a738-e86d08ca25da.jpeg https://forem.com/ppabis en Piotr Pabis Mon, 20 Apr 2026 07:14:17 +0000 https://forem.com/aws-builders/personal-token-factory-openclaw-in-aws-but-nvidia-gb10-at-home-3klk https://forem.com/aws-builders/personal-token-factory-openclaw-in-aws-but-nvidia-gb10-at-home-3klk <p>Even though Nemotron 3 Super is still free on OpenRouter, the agreement is that you donate all your exchanges to Nvidia for training. A paid version is available also quite cheaply ($0.10/M input, $0.50/M output.) I still decided to utilize my ASUS GX10 (aka DGX Spark aka GB10) as the token source for my agent hosted at AWS. But the trick here is the following: I don't want to open my home network to the outside Internet! Another rule: I don't want to pay for any public IPv4 address to AWS. Will I be able to achieve that? That's actually simple! Let me guide you today how I achieved that setup.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fanxmh8apbb4iw3ivtat2.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fanxmh8apbb4iw3ivtat2.jpg" alt="Diagram of the setup" width="800" height="359"></a></p> <p>Above you can see that I plan to tunnel both home and AWS networks using Wireguard. I could potentially make this site-to-site but to make it simpler and safer for my home devices, I will only connect to Wireguard server (listener) on AWS side with DGX Spark as a client. I will do it over IPv6. At the bottom you can see that my home devices have normal connectivity to both IPv6 and IPv4 Internet but on AWS side I am relying solely on IPv6 (although internally VPC still uses private IPv4 range). There will be some issues with that but we will fix them later.</p> <p><em>Companion GitHub repo: <a href="https://github.com/ppabis/wireguard-openclaw-dgx" rel="noopener noreferrer">github.com/ppabis/wireguard-openclaw-dgx</a></em></p> <h2> Setting up VPC and Wireguard server </h2> <p>I have created a simple VPC using a module with range <code>10.189.80.0/21</code> with IPv6 enabled. It has Internet Gateway in public subnets and egress only Internet Gateway for IPv6 outbound connectivity. I disabled NAT gateway on purpose, we will cover this issue later. Instances in public subnet will be reachable over IPv6 from the outside - this is where we will place our Wireguard server. OpenClaw will remain inside the private subnet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="p">{</span> <span class="nx">state</span> <span class="p">=</span> <span class="s2">"available"</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 6.6.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.189.80.0/21"</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">slice</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.189.80.0/24"</span><span class="p">,</span> <span class="s2">"10.189.81.0/24"</span><span class="p">,</span> <span class="s2">"10.189.82.0/24"</span><span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.189.83.0/24"</span><span class="p">,</span> <span class="s2">"10.189.84.0/24"</span><span class="p">,</span> <span class="s2">"10.189.85.0/24"</span><span class="p">]</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_ipv6</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_subnet_assign_ipv6_address_on_creation</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">private_subnet_assign_ipv6_address_on_creation</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_subnet_ipv6_prefixes</span> <span class="p">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">]</span> <span class="nx">private_subnet_ipv6_prefixes</span> <span class="p">=</span> <span class="p">[</span><span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">5</span><span class="p">]</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="p">}</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Creating Wireguard server instance </h2> <p>First of all, I will create an EC2 instance with latest Amazon Linux 2023. It includes WireGuard already in the repositories and the update servers work over IPv6. I will run my WireGuard server on port <code>51280</code> so that's what I will open on the security group. All egress should also be open. I will attach am IAM role to it as well, no permissions but it will come handy later. First, define all the smaller components.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_ssm_parameter"</span> <span class="s2">"al2023_arm64"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-arm64"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"wireguard"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"wireguard-sg"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">51280</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">51280</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"wireguard_assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ec2.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"wireguard"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"wg-ec2-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">wireguard_assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"wireguard"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"wg-ec2-profile"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">wireguard</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <p>And finally we can define the EC2 instance. It will be the cheapest and smallest possible one I can find, which is <code>t4g.nano</code>. AMI ID is pulled from publicly shared SSM parameter (easier than AMI data source in Terraform). From networking I'm disabling public IPv4 assignment, forcing at least one IPv6 and disabling source destination check (more on that later). I didn't define any SSH connectivity, nor EC2 Instance Connect or Session Manager. The cheapest option here would be to define a key pair and open <code>22</code> on IPv6 to your subnet if you need debugging.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zcptdl3gik6sz0dd3ar.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zcptdl3gik6sz0dd3ar.jpg" alt="EC2 instance diagram" width="637" height="304"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"wireguard"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_ssm_parameter</span><span class="p">.</span><span class="nx">al2023_arm64</span><span class="p">.</span><span class="nx">value</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t4g.nano"</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">wireguard</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">wireguard</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">ipv6_address_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">source_dest_check</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">user_data</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Wireguard"</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">ami</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"ipv6"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">wireguard</span><span class="p">.</span><span class="nx">ipv6_addresses</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Installing and configuring Wireguard on the server </h2> <p>How would we install the server if we have no SSH or any other shell access to the instance? As you see above, I have defined user data. This is a script that runs on first instance boot... if you just use pure Bash. For our use case, we want to be able to control instance contents dynamically. For that we will use cloud-init, which allows for more flexibility regarding user data contents. We will start with the draft defining "attachments" with both cloud-init's cloud-config (YAML) as well as standard Bash script that starts on boot. I'm writing this in a new file called <code>user-data.yaml</code> (although it's not a valid YAML file).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Content-Type</span><span class="pi">:</span> <span class="s">multipart/mixed; boundary="//"</span> <span class="na">MIME-Version</span><span class="pi">:</span> <span class="m">1.0</span> <span class="s">--//</span> <span class="na">Content-Type</span><span class="pi">:</span> <span class="s">text/cloud-config; charset="us-ascii"</span> <span class="na">MIME-Version</span><span class="pi">:</span> <span class="m">1.0</span> <span class="na">Content-Transfer-Encoding</span><span class="pi">:</span> <span class="s">7bit</span> <span class="na">Content-Disposition</span><span class="pi">:</span> <span class="s">attachment; filename="cloud-config.txt"</span> <span class="c1">#cloud-config</span> <span class="na">package_update</span><span class="pi">:</span> <span class="kc">true</span> <span class="s">--//</span> <span class="na">Content-Type</span><span class="pi">:</span> <span class="s">text/x-shellscript; charset="us-ascii"</span> <span class="na">MIME-Version</span><span class="pi">:</span> <span class="m">1.0</span> <span class="na">Content-Transfer-Encoding</span><span class="pi">:</span> <span class="s">7bit</span> <span class="na">Content-Disposition</span><span class="pi">:</span> <span class="s">attachment; filename="userdata.txt"</span> <span class="c1">#!/bin/bash</span> <span class="s">echo "Configuring WireGuard..."</span> <span class="s">--//--</span> </code></pre> </div> <h4> <em>Side note</em> </h4> <p><em>If you know cloud-init, you might wonder why I want to use also user data. For</em> <em>some reason <code>runcmd</code> doesn't always execute when I want it to and <code>bootcmd</code></em> <em>happens too early.</em></p> <p>As you see we have two sections in this file. First, we have defined cloud-config that will just update packages on startup. Second script will also execute on first boot and just echo a message. Now what we can do is to configure each module to run on every restart. In cloud-config add this (insert between boundaries):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#cloud-config</span> <span class="na">package_update</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">cloud_final_modules</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">scripts-user</span><span class="pi">,</span> <span class="nv">always</span><span class="pi">]</span> <span class="na">cloud_config_modules</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">write_files</span><span class="pi">,</span> <span class="nv">always</span><span class="pi">]</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">package_update_upgrade_install</span><span class="pi">,</span> <span class="nv">always</span><span class="pi">]</span> </code></pre> </div> <p>Now all the sections (that we define soon) will run on every instance reboot. This will give us some flexibility in changing the configuration (although requiring reboot but how often do you plan to change this 😄). Let us install required packages: Wireguard itself, iptables for routing capabilities and for convenience if you need to debug, <code>tmux</code> and <code>htop</code> can come in handy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">wireguard-tools</span> <span class="pi">-</span> <span class="s">iptables-nft</span> <span class="pi">-</span> <span class="s">htop</span> <span class="pi">-</span> <span class="s">tmux</span> </code></pre> </div> <p>Now let's proceed with Wireguard configuration. As previously stated, I want to use <code>10.155.222.0/24</code> as the subnet and listen on port <code>51280</code>. The private key will be a placeholder for safety reasons. When the tunnel is brought up, we are going to enable IP forwarding in the kernel and allow forwards between <code>wg0</code> Wireguard's interface and <code>ens5</code> (primary network card in AL2023 at least). The router address (sever) will be the first one in the subnet <code>10.155.222.1</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">write_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/wireguard/wg0.conf</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">[Interface]</span> <span class="s">Address = 10.155.222.1/24</span> <span class="s">ListenPort = 51280</span> <span class="s">PrivateKey = _PRIVATE_KEY_</span> <span class="s"># Enable routing + NAT for WG clients to reach VPC</span> <span class="s">PostUp = sysctl -w net.ipv4.ip_forward=1</span> <span class="s">PostUp = iptables -A FORWARD -i wg0 -o ens5 -j ACCEPT</span> <span class="s">PostUp = iptables -A FORWARD -i ens5 -o wg0 -j ACCEPT</span> <span class="s">PostDown = iptables -D FORWARD -i wg0 -o ens5 -j ACCEPT</span> <span class="s">PostDown = iptables -D FORWARD -i ens5 -o wg0 -j ACCEPT</span> <span class="s"># End of file</span> </code></pre> </div> <p>This configuration is not yet usable until we create another part of the user data attachment. In the Bash script that is going to run on every machine startup, we are going to generate Wireguard's key pair, if it doesn't exist, and if it does, we will just replace the <code>_PRIVATE_KEY_</code> placeholder with <code>sed</code>. But that's not all! We also need the public key of the server after all to connect. As I don't want to need any SSH-like connectivity to this server, it will export the public key to AWS Systems Manager Parameter Store.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--</span>// Content-Type: text/x-shellscript<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span><span class="s2">"us-ascii"</span> MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment<span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">"userdata.txt"</span> <span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-eo</span> pipefail <span class="nb">echo</span> <span class="s2">"Configuring WireGuard..."</span> <span class="c"># If there's no private key, generate the private key into a file and derive</span> <span class="c"># the public one also into a file.</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> /etc/wireguard/private.key <span class="o">]</span><span class="p">;</span> <span class="k">then </span>wg genkey | <span class="nb">tee</span> /etc/wireguard/private.key | wg pubkey <span class="o">&gt;</span> /etc/wireguard/public.key <span class="k">fi</span> <span class="c"># Replace the private key placeholder if it exists in wg0.conf</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s#_PRIVATE_KEY_#</span><span class="si">$(</span><span class="nb">cat</span> /etc/wireguard/private.key<span class="si">)</span><span class="s2">#g"</span> /etc/wireguard/wg0.conf <span class="c"># Export the public key to SSM Parameter Store. Use IPv6 endpoint.</span> <span class="nb">echo</span> <span class="s2">"Public key: </span><span class="si">$(</span><span class="nb">cat</span> /etc/wireguard/public.key<span class="si">)</span><span class="s2">"</span> <span class="nb">export </span><span class="nv">AWS_USE_DUALSTACK_ENDPOINT</span><span class="o">=</span><span class="nb">true </span>aws ssm put-parameter <span class="nt">--type</span> <span class="s2">"String"</span> <span class="nt">--overwrite</span> <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"/wireguard/public-key"</span> <span class="se">\</span> <span class="nt">--value</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">cat</span> /etc/wireguard/public.key<span class="si">)</span><span class="s2">"</span> <span class="c"># Start the tunnel.</span> wg-quick up wg0 <span class="nt">--</span>//-- </code></pre> </div> <p>Currently if you run the script, the machine will not be able to write into Parameter Store because the IAM role doesn't have such permissions. Add the following policy to the previously defined role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"X"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_region"</span> <span class="s2">"X"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"wireguard_ssm_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ssm:PutParameter"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:ssm:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">X</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">X</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">:parameter/wireguard/public-key"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"wireguard_ssm_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"wg-ssm-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">wireguard</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">wireguard_ssm_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>As the last part, add the user data local variable. I will use <code>templatefile</code> because we are going to do some dynamic things later, so it will come in handy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/user-data.yaml"</span><span class="p">,</span> <span class="p">{})</span> <span class="p">}</span> </code></pre> </div> <p>When you now deploy this infrastructure, after some minutes you should get a public key in SSM Parameter Store under <code>wireguard/public-key</code>. You can use it to configure the client connections. You can also use the following command to get the public key value.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ssm get-parameter <span class="se">\</span> <span class="nt">--name</span> /wireguard/public-key <span class="se">\</span> <span class="nt">--query</span> Parameter.Value <span class="se">\</span> <span class="nt">--output</span> text </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frcqlnup2vlths6gmvxsx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frcqlnup2vlths6gmvxsx.png" alt="Public key in parameter store" width="800" height="313"></a></p> <h2> Setting up client </h2> <p>On the client side, so my DGX Spark, I will now SSH and also install Wireguard. I am using default Ubuntu installation. We are going to generate a new private key, get the public key and save the configuration. You need to run the following commands under root.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt <span class="nt">-y</span> <span class="nb">install </span>wireguard wireguard-tools </code></pre> </div> <p>Define some variables that are public key from SSM Parameter store and output with IPv6 from Terraform. Also configure the path where you want to keep the configuration. I will use <code>wg1</code> interface.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">WG_SERVER_KEY</span><span class="o">=</span><span class="s2">"sJQTQ7sytRuLBK74Y24TNtXrHqrmpRb+ZsT9olMfXQ4="</span> <span class="c"># Key from SSM</span> <span class="nv">WG_SERVER_IP</span><span class="o">=</span><span class="s2">"2a05:d012:e21:2345:6789:01ab:cdef:9dd7"</span> <span class="c"># IPv6 from AWS</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /etc/wireguard/ <span class="nv">WG_CONFIG</span><span class="o">=</span>/etc/wireguard/wg1.conf <span class="nv">WG_PRIVATE_KEY</span><span class="o">=</span><span class="si">$(</span>wg genkey<span class="si">)</span> <span class="nv">WG_PUBLIC_KEY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$WG_PRIVATE_KEY</span> | wg pubkey<span class="si">)</span> <span class="nb">echo</span> <span class="s2">"Public key = </span><span class="nv">$WG_PUBLIC_KEY</span><span class="s2">"</span> </code></pre> </div> <p>Then generate the configuration. In case you have some firewall, select a port that you want to use for listening on incoming VPN traffic. Choose a unique address from the VPN subnet pool. Optionally set the DNS resolver to the AWS VPC one (second address of subnet's CIDR). <code>AllowedIPs</code> is an unfortunate name but these are the routes that should go through the VPN - I set them to VPC CIDR and VPN's internal subnet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&gt;</span> <span class="nv">$WG_CONFIG</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> [Interface] PrivateKey = </span><span class="nv">$WG_PRIVATE_KEY</span><span class="sh"> # Public Key: </span><span class="nv">$WG_PUBLIC_KEY</span><span class="sh"> Address = 10.155.222.3/32 DNS = 10.189.80.2 # Optional ListenPort = 62910 # You can skip this if you don't have firewall [Peer] PublicKey = </span><span class="nv">$WG_SERVER_KEY</span><span class="sh"> AllowedIPs = 10.189.80.0/21, 10.155.222.0/24 # Connectivity to VPC and VPN PersistentKeepalive = 25 Endpoint = [</span><span class="nv">$WG_SERVER_IP</span><span class="sh">]:51280 </span><span class="no"> EOF </span></code></pre> </div> <h2> Allowing new client on the Wireguard server </h2> <p>As you get the new public key for your home client, we need to now enable it on the Wireguard server. As you remember we used <code>templatefile</code> to load the user data. This will come useful now as we will be able to configure multiple clients. Let's revisit the <code>write_files</code> section. Modify the end of file, after iptables commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">write_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/wireguard/wg0.conf</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">[Interface]</span> <span class="s">Address = 10.155.222.1/24</span> <span class="s">ListenPort = 51280</span> <span class="s">PrivateKey = _PRIVATE_KEY_</span> <span class="s"># Enable routing + NAT for WG clients to reach VPC</span> <span class="s">PostUp = sysctl -w net.ipv4.ip_forward=1</span> <span class="s">PostUp = iptables -A FORWARD -i wg0 -o ens5 -j ACCEPT</span> <span class="s">PostUp = iptables -A FORWARD -i ens5 -o wg0 -j ACCEPT</span> <span class="s">PostDown = iptables -D FORWARD -i wg0 -o ens5 -j ACCEPT</span> <span class="s">PostDown = iptables -D FORWARD -i ens5 -o wg0 -j ACCEPT</span> <span class="s">%{~ for peer in peers ~}</span> <span class="s">[Peer]</span> <span class="s">PublicKey = ${peer.public_key}</span> <span class="s">AllowedIPs = ${peer.address}/32</span> <span class="s">%{~ endfor ~}</span> <span class="s"># End of file</span> </code></pre> </div> <p>The above for loop will generate multiple clients on the Wireguard server. Now in the template variables you have to set <code>peers</code> map with <code>public_key</code> and <code>address</code> keys. Revisit the locals in EC2 instance. Applying this will reboot the instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"user-data.yaml"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">peers</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">address</span> <span class="p">=</span> <span class="s2">"10.155.222.3"</span><span class="p">,</span> <span class="c1"># the IP you selected for the client</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="s2">"bxmMoVvXlVVRg7uaTnxI6Vf7wxeI0XWj5d6zREqDkzk="</span> <span class="c1"># the public key of the client</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Now if you bring up the there should be a status about latest handshake and some data that is received.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>wg-quick up wg1 <span class="o">[</span><span class="c">#] ip link add wg1 type wireguard</span> <span class="o">[</span><span class="c">#] wg setconf wg1 /dev/fd/63</span> <span class="o">[</span><span class="c">#] ip -4 address add 10.155.222.3/32 dev wg1</span> <span class="o">[</span><span class="c">#] ip link set mtu 1420 up dev wg1</span> <span class="o">[</span><span class="c">#] ip -4 route add 10.155.222.0/24 dev wg1</span> <span class="o">[</span><span class="c">#] ip -4 route add 10.189.80.0/21 dev wg1</span> <span class="nv">$ </span><span class="nb">sudo </span>wg interface: wg1 public key: <span class="nv">bxmMoVvXlVVRg7uaTnxI6Vf7wxeI0XWj5d6zREqDkzk</span><span class="o">=</span> private key: <span class="o">(</span>hidden<span class="o">)</span> listening port: 62910 peer: sJQTQ7sytRuLBK74Y24TNtXrHqrmpRb+ZsT9olMfXQ4<span class="o">=</span> endpoint: <span class="o">[</span>2a05:d012:e21:2345:6789:01ab:cdef:9dd7]:51280 allowed ips: 10.189.80.0/21, 10.155.222.0/24 latest handshake: 22 seconds ago transfer: 92 B received, 180 B sent persistent keepalive: every 25 seconds </code></pre> </div> <p>I have created a test internal application load balancer. It will listen for CIDR <code>10.155.222.0</code> (<strong>not</strong> VPC CIDR!) on port 80. But before this can be used you also have to define routes for Wireguard's subnet. This is the reason for turning off source-destination check on the network card of the EC2 instance. Without that feature, packets destined for Wireguard (whether requests or responses) will be accepted by the EC2 instance even if the destination isn't any of the instance's IPs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_route"</span> <span class="s2">"wireguard_tunnel_prefix"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span> <span class="nx">concat</span><span class="p">(</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_route_table_ids</span><span class="p">,</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_route_table_ids</span> <span class="p">)</span> <span class="p">)</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"10.155.222.0/24"</span> <span class="nx">network_interface_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">wireguard</span><span class="p">.</span><span class="nx">primary_network_interface_id</span> <span class="p">}</span> </code></pre> </div> <p>Afterwards I tested with cURL and the connectivity was established! The test IPs are private range as you see below. I even tried DNS and it was also functional through the Wireguard interface - that way we can later set up some private domains or use Cloud Map.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl http://internal-mytest-alb-1234567890.eu-west-3.elb.amazonaws.com hello world <span class="nv">$ </span>dig +short internal-mytest-alb-1234567890.eu-west-3.elb.amazonaws.com 10.189.83.70 10.189.85.144 <span class="nv">$ </span>resolvectl query internal-mytest-alb-1234567890.eu-west-3.elb.amazonaws.com internal-mytest-alb-1234567890.eu-west-3.elb.amazonaws.com: 10.189.83.70 <span class="nt">--</span> <span class="nb">link</span>: wg1 10.189.85.144 <span class="nt">--</span> <span class="nb">link</span>: wg1 </code></pre> </div> <h2> Installing LLM server </h2> <p>Now we need to install and configure Ollama. Just follow the instructions on <a href="https://ollama.com" rel="noopener noreferrer">ollama.com</a> to install it, or you can use any other LLM server you wish. Be sure that it is listening on all addresses and not just local host. Create the following override in SystemD (on Ubuntu).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo cat</span> <span class="o">&gt;</span> /etc/systemd/system/ollama.service.d/override.conf <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> [Service] Environment="OLLAMA_HOST=0.0.0.0:11434" Environment="OLLAMA_CONTEXT_LENGTH=212000" Environment="OLLAMA_KV_CACHE_TYPE=q8_0" Environment="OLLAMA_KEEP_ALIVE=2400" </span><span class="no">EOF </span><span class="nb">sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> ollama <span class="nb">sudo </span>systemctl restart ollama </code></pre> </div> <p>You can alternatively run it in Docker. It should be supported on DGX Spark out of the box to use it with the GPU. Choose only one or the other because they occupy the same port in the command below!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--gpus</span><span class="o">=</span>all <span class="se">\</span> <span class="nt">-v</span> ollama:/root/.ollama <span class="se">\</span> <span class="nt">-p</span> 11434:11434 <span class="se">\</span> <span class="nt">--name</span> ollama <span class="se">\</span> <span class="nt">--restart</span><span class="o">=</span>unless-stopped <span class="se">\</span> ollama/ollama </code></pre> </div> <p>For direct installations, you can just use <code>ollama pull &lt;model&gt;</code> to download the model in advance. I will use Nvidia's Nemotron 3 Super which was one of the best medium-sized models when I started writing this post. However, Gemma 4 and Qwen 3.6 were also released so you can experiment with that.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama pull nemotron-3-super:120b-a12b-q4_K_M </code></pre> </div> <h2> Connecting from an EC2 instance </h2> <p>I will create another EC2 instance which will be used for OpenClaw or any other system as you want such as Hermes or just a web app for chatting. I will prepare the instance first, will use Ubuntu 24.04 and <code>t4g.medium</code> instance. I will also create a new user data script that will bootstrap some of the required packages. As we have IPv6 outbound connectivity from private subnet, APT repositories should work without issues. I will also enable SSH access from Wireguard's inner subnet so that I can SSH to the instance, but you can alternatively use IPv6 when moving to public subnet or via SSM Systems Manager if you configure it, it's up to you.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_ssm_parameter"</span> <span class="s2">"ubuntu_2404"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/aws/service/canonical/ubuntu/server/24.04/stable/current/arm64/hvm/ebs-gp3/ami-id"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"agent"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"openclaw-agent-sg"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">agent</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.155.222.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"agent"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_ssm_parameter</span><span class="p">.</span><span class="nx">ubuntu_2404</span><span class="p">.</span><span class="nx">value</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t4g.medium"</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"openclaw.yaml"</span><span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"openclaw-agent"</span> <span class="p">}</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">agent</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">ipv6_address_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">metadata_options</span> <span class="p">{</span> <span class="nx">http_endpoint</span> <span class="p">=</span> <span class="s2">"enabled"</span> <span class="nx">http_tokens</span> <span class="p">=</span> <span class="s2">"required"</span> <span class="p">}</span> <span class="nx">root_block_device</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp3"</span> <span class="nx">encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">delete_on_termination</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">ami</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"private_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">agent</span><span class="p">.</span><span class="nx">private_ip</span> <span class="p">}</span> </code></pre> </div> <p>From the system config I will do the following:</p> <ul> <li>add Node.js APT repository of version 24,</li> <li>install Node.js and unattended upgrades,</li> <li>enable unattended upgrades,</li> <li>enable AWS SSM (optional but useful).</li> </ul> <p>I will also create a separate user for OpenClaw so that it can have its own home directory and permissions. It is also very important to create the default user as this will allow you to SSH to the instance to onboard OpenClaw. If you wish you can also specify SSH keys in here or via AWS key pairs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#cloud-config</span> <span class="na">cloud_final_modules</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">scripts-user</span><span class="pi">,</span> <span class="nv">always</span><span class="pi">]</span> <span class="na">cloud_config_modules</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">write_files</span><span class="pi">,</span> <span class="nv">always</span><span class="pi">]</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">apt_configure</span><span class="pi">,</span> <span class="nv">always</span><span class="pi">]</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">package_update_upgrade_install</span><span class="pi">,</span> <span class="nv">always</span><span class="pi">]</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">openclaw-agent</span> <span class="na">create_hostname_file</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="na">nodejs</span><span class="pi">:</span> <span class="na">keyid</span><span class="pi">:</span> <span class="s">2F59B5F99B1BE0B4</span> <span class="na">keyserver</span><span class="pi">:</span> <span class="s">keyserver.ubuntu.com</span> <span class="na">source</span><span class="pi">:</span> <span class="s">deb [signed-by=$KEY_FILE] https://deb.nodesource.com/node_24.x nodistro main</span> <span class="na">package_update</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">package_upgrade</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">nodejs</span> <span class="pi">-</span> <span class="s">unattended-upgrades</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">default</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">openclaw</span> <span class="na">uid</span><span class="pi">:</span> <span class="m">2200</span> <span class="na">ssh_authorized_keys</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgVNNOeuUqMgobgeIIkndXXYekOmC/e5bqty3f0UXDa my-ssh-key</span> <span class="na">write_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/apt/apt.conf.d/20auto-upgrades</span> <span class="na">permissions</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0644"</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">root:root</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">APT::Periodic::Update-Package-Lists "1";</span> <span class="s">APT::Periodic::Unattended-Upgrade "1";</span> <span class="na">runcmd</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">systemctl enable --now unattended-upgrades || </span><span class="kc">true</span> <span class="pi">-</span> <span class="s">loginctl enable-linger openclaw || </span><span class="kc">true</span> <span class="c1"># Enable SystemD on openclaw's user</span> </code></pre> </div> <h2> Installing OpenClaw - with a caveat 😳 </h2> <p>I SSH'd into the instance and Nodejs should already be there based on the provided user data. So I switched user to the new <code>openclaw</code> one I defined and started installation with NPM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh ubuntu@<span class="si">$(</span>tofu output <span class="nt">-raw</span> private_ip<span class="si">)</span> <span class="c"># replace with your private IP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ssh"><code><span class="k">The</span> authenticity of host '10.189.83.247 (10.189.83.247)' can't be established. <span class="k">ED25519</span> key fingerprint is: SHA256:iMfJBU8iSEc5ikspbNKGD8jCAlLGwrOs28lbI4aPw2Q <span class="k">This</span> key is not known by any other names. <span class="k">Are</span> you sure you want to continue connecting (yes/no/[fingerprint])? <span class="no">yes</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Inside the machine</span> <span class="nb">sudo </span>su openclaw <span class="nt">-l</span> <span class="nt">-s</span> /bin/bash npm <span class="nb">install </span>openclaw@latest </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="c">... </span><span class="go">4564 error A git connection error occurred 4565 error command git --no-replace-objects ls-remote ssh://git@github.com/whiskeysockets/libsignal-node.git 4566 error ssh: connect to host github.com port 22: Connection timed out 4566 error fatal: Could not read from remote repository. </span></code></pre> </div> <p>This timeout happens because we don't have public IPv4 connectivity! There are two standard solutions - public IP for the instance or NAT Gateway or...</p> <h3> Hosting tinyproxy on DGX Spark </h3> <p>As we already have connection to other VPN places we can simply use one of the machines on the network as the exit to IPv4 internet. As a bonus we retain our residential IP! So let's spin it up in a Docker but for that we need to make some configuration first in <code>Dockerfile</code> and <code>tinyproxy.conf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> alpine:latest</span> <span class="k">RUN </span>apk add tinyproxy <span class="k">COPY</span><span class="s"> tinyproxy.conf /etc/tinyproxy/tinyproxy.conf</span> <span class="k">EXPOSE</span><span class="s"> 8888</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/usr/bin/tinyproxy"]</span> <span class="k">CMD</span><span class="s"> ["-d"]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">Port</span> <span class="err">8888</span> <span class="err">Timeout</span> <span class="err">600</span> <span class="err">MaxClients</span> <span class="err">100</span> <span class="err">ViaProxyName</span> <span class="err">"tinyproxy"</span> <span class="err">User</span> <span class="err">nobody</span> <span class="err">Group</span> <span class="err">nobody</span> <span class="err">DefaultErrorFile</span> <span class="err">"/usr/share/tinyproxy/default.html"</span> <span class="err">StatFile</span> <span class="err">"/usr/share/tinyproxy/stats.html"</span> <span class="err">LogLevel</span> <span class="err">Info</span> <span class="err">Allow</span> <span class="err">127.0.0.1</span> <span class="py">Allow</span> <span class="p">:</span><span class="s">:1</span> <span class="err">Allow</span> <span class="err">10.155.222.0/24</span> <span class="err">Allow</span> <span class="err">10.189.80.0/21</span> </code></pre> </div> <p>From that config we can easily build the new image for Tinyproxy and set it up so that it starts on boot. Of course then all this connectivity will rely on our local machine being up, so it's only usable for some of IPv4 requirements such as GitHub.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> local-tinyproxy:latest <span class="nb">.</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> tinyproxy <span class="se">\</span> <span class="nt">--restart</span><span class="o">=</span>unless-stopped <span class="se">\</span> <span class="nt">-p</span> 8989:8888 <span class="se">\</span> local-tinyproxy:latest </code></pre> </div> <p>Now we can easily direct the proxy to the new service within Wireguard's network. However, in order to do this, we need to open the port <code>8989</code> (and <code>11434</code> for Ollama) on Wireguard's instance. You might ask why is that? So any packet sent from OpenClaw's instance in that direction will look like this:</p> <ul> <li>source address: <code>10.189.83.247</code> (example),</li> <li>destination address: <code>10.155.222.3</code>,</li> <li>source port: <code>59123</code> (example),</li> <li>destination port: <code>8989</code>.</li> </ul> <p>Filtering on AWS security group level cares about source address and destination port rather than anything else. Destination address is taken care by "source-destination" check of the network interface - the feature we just disabled. Let's update our security group.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"wireguard"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"wireguard-sg"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">51280</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">51280</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">agent</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">8989</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">8989</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">agent</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9p5otcbagpnyidjkz1aq.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9p5otcbagpnyidjkz1aq.jpg" alt="Connection between OpenClaw and DGX over VPN" width="764" height="293"></a></p> <p>Now you can configure NPM and Git to use the proxy and OpenClaw should be able to install with no issues. You can also test the connectivity with cURL even, if it responds with 500, this is fine; if 403, this might be a problem with <code>tinyproxy.conf</code>. If this cURL command shows timeout or "couldn't connect to server", this can be security groups, routes or other firewall.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://10.155.222.3:8989 <span class="nt">-X</span> CONNECT | <span class="nb">grep </span>title <span class="c"># Test results</span> <span class="c"># &lt;title&gt;500 Unable to connect&lt;/title&gt;</span> npm <span class="nb">set </span>https-proxy<span class="o">=</span>http://10.155.222.3:8989 npm <span class="nb">set </span><span class="nv">proxy</span><span class="o">=</span>http://10.155.222.3:8989 git config <span class="nt">--global</span> http.proxy http://10.155.222.3:8989 git config <span class="nt">--global</span> https.proxy http://10.155.222.3:8989 npm <span class="nb">install </span>openclaw@latest </code></pre> </div> <h2> OpenClaw - Onboard! </h2> <p>And we are almost done! The only thing we now need is to follow the onboarding process. Use Ollama provider in local mode, set the correct DGX's IP over Wireguard and choose the model from the list!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">XDG_RUNTIME_DIR</span><span class="o">=</span>/run/user/<span class="si">$(</span><span class="nb">id</span> <span class="nt">-u</span><span class="si">)</span> <span class="c"># for systemd support</span> npx openclaw onboard </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6roww7inka2rusu3zdp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn6roww7inka2rusu3zdp.png" alt="OpenClaw onboarding" width="610" height="267"></a></p> <p>I will demonstrate usage via TUI rather than any instant messenger here. The first load time for the latest build of OpenClaw took around 1:30 minutes with Nemotron 3 Super (q4). After resetting the session, first message took around 20 seconds (to load 12k context), so most of the time was loading the model into VRAM. Keeping model in memory is controllable on Ollama's side. For each subsequent message, there's some more time needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx openclaw tui </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdmfxiz0oswkh5rcsdhsr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdmfxiz0oswkh5rcsdhsr.png" alt="OpenClaw first message" width="518" height="209"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fifveulpztugtv33r23jb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fifveulpztugtv33r23jb.png" alt="OpenClaw any other message" width="518" height="209"></a></p> <p>To have some performance comparison, I decided to also try running the agent on latest Qwen 3.6 35B (<code>qwen3.6:35b-a3b-q8_0</code>). The startup took around 30 seconds and each message takes maybe 10.</p> <h2> Power usages </h2> <p>I decided to also order a meter that provided how much power the DGX machine draws in different situations. When it's completely idle, it takes around 30W, with the model loaded to memory but unused it's around 40W and during response generation it oscillates around 170W. Let's do some assumptions - when you sleep you don't use OpenClaw at all but you keep DGX Spark on, so it takes 30W for 7 hours. You are a very heavy user, writing to OpenClaw all day, scheduling a lot of tasks basically treating it as a thinking extension which totals to 8 hours of pure generative work. For all the other time it just sits idle but loaded to memory.</p> <ul> <li>7 h * 30 W = 210 Wh</li> <li>8 h * 170 W = 1360 Wh</li> <li>9 h * 40 W = 360 Wh</li> <li>in total it is about 2 kWh</li> <li>assuming price in Germany is 0.5€ for a kilowatt-hour, it is 1€ per day, 30€ per month, just for pure token generation.</li> </ul> <p>Obviously you also have to consider costs for AWS EC2 Instance. For the VPN server, if you commit for a year to EC2 saving plans, you will pay around 25€, for the agent instance, if it's online all year round this is 200€ (but note that OpenClaw is especially heavy compared to other harnesses).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhxbf4jjt8youfqi2ymha.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhxbf4jjt8youfqi2ymha.jpg" alt="Watt measurements" width="800" height="222"></a></p> <p>If you use small model like Qwen 35B in Q8, you will still have space in VRAM for some image generator like Z-Image-Turbo, a small TTS model or Whisper Turbo for speech recognition. I managed to easily fit image generation and VibeVoice ASR along with the chatbot model in 100 gigs of RAM.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F03r9u0n4n3hx4k6gm5g2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F03r9u0n4n3hx4k6gm5g2.png" alt="100G RAM filled up" width="800" height="576"></a></p> <h2> Cons of this setup </h2> <p>Of course each of such setups comes with a tradeoff. You keep your privacy, you maybe pay less for inference (that's debatable) but that's about it. The best setup is to have GB10 as the primary model provider and fall back on something small on OpenRouter. There's always a possibility to mix multiple models and providers using subagents. For example you want to perform a coding task, you use Sonnet 4.6 but you keep local Qwen 3.6 for orchestration. Such setup is far from highly available. Not only can the machine break, you can have blackout or Internet can be down in your flat. Another tradeoff is speed - most of the medium sized models from OpenAI or Anthropic will nevertheless run faster than any decent model on DGX Spark.</p> <p>The prefill (loading context) speed is 500 tokens per second for Nemotron 3 Super and token generation is 20 tokens per second. Assuming that in each 15 minute window we have to load 200k context, we can generate 10k tokens, that makes it (within 8 hour daily generation) 6.4 M tokens input and 0.32 M tokens output. Prompt prefill accounts for around 40% of the time spent so from a daily spend, 40 cents will go to input tokens and 60 cents to output tokens. Normalized this is around 0.06€ per million input tokens and 1.88€ per million output tokens.</p> <p>For Qwen 3.6 the speeds look different: 1150 tokens/s prefill and 39 tokens/s generation. Then in 15 minute window (200k input context) the prefill will account for 20% of the generation time. 80% of the time left will be for token generation and this will produce 28k tokens. So within a day we get 6.4 M input and 0.896 M output tokens, normalized this makes it 0.03€/Mtok input and 0.89€/Mtok output.</p> <p>Is any of these competitive? It highly depends on your use case and usage patterns; whatever I did above is just napkin maths. Gemma 4 31B over OpenRouter is just $0.13/$0.38 in/out but GPT-5.4 Nano is $0.20/$1.25.</p> openclaw nvidia vpn aws Piotr Pabis Thu, 29 Jan 2026 16:06:33 +0000 https://forem.com/aws-builders/it-support-agent-on-aws-bedrock-implementing-guardrails-ch8 https://forem.com/aws-builders/it-support-agent-on-aws-bedrock-implementing-guardrails-ch8 <p>As I mentioned in the previous post where we have created JIRA ticketing action groups, that I managed to create a ticket that was insulting the IT team. As an IT team, I would like to not be insulted, right? So today we are going to implements Guardrails. But wait, there's more! The database tickets I were supposed to create, could be set to lose access at any date, in the past or in the far future (post-AGI). I will explain to you along the way.</p> <p><a href="https://dev.to/aws-builders/it-support-agent-on-aws-bedrock-connecting-confluence-l6i"><em>Part 1 - Confluence Knowledge Base</em></a> <a href="https://dev.to/aws-builders/it-support-agent-on-aws-bedrock-jira-ticket-tool-2lc9"><em>Part 2 - JIRA ticket action group</em></a> <a href="https://github.com/ppabis/it-agent-bedrock/tree/v3" rel="noopener noreferrer"><em>GitHub: ppabis/it-agent-bedrock</em></a></p> <h2> Guardrail #1 - Insults and profanity </h2> <p>The first Guardrail I would like to implement is the one that will prevent users from posting inappropriate content into the tickets. I will use only input filtering as maybe in the future I would implement another "Action" that will retrieve the tickets and I don't want to be stopped by the guardrail this time. In Terraform code this would look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_bedrockagent_guardrail"</span> <span class="s2">"filtering"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticket-agent-guardrail"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Input-only guardrail for toxic language and disallowed topics."</span> <span class="nx">blocked_input_messaging</span> <span class="p">=</span> <span class="s2">"Your input includes content that is not allowed to pass further. Please rephrase your message."</span> <span class="nx">blocked_outputs_message</span> <span class="p">=</span> <span class="s2">"Response blocked by guardrail."</span> <span class="nx">content_policy_config</span> <span class="p">{</span> <span class="nx">filters_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"HATE"</span> <span class="nx">input_strength</span> <span class="p">=</span> <span class="s2">"MEDIUM"</span> <span class="nx">output_strength</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="nx">filters_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"INSULTS"</span> <span class="nx">input_strength</span> <span class="p">=</span> <span class="s2">"MEDIUM"</span> <span class="nx">output_strength</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="nx">filters_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"VIOLENCE"</span> <span class="nx">input_strength</span> <span class="p">=</span> <span class="s2">"MEDIUM"</span> <span class="nx">output_strength</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="nx">filters_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SEXUAL"</span> <span class="nx">input_strength</span> <span class="p">=</span> <span class="s2">"MEDIUM"</span> <span class="nx">output_strength</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Guardrail #2 - Financial and hacking topics </h2> <p>I would also like the agent to not help the user hack into the company systems based for example on the knowledge base. It is possible that such Confluence wiki might have some information that can be very useful for malicious actors. What is more, if I plan to equip the agent with some more tools in the future, such as getting current state of the applications or the infrastructure, it could make it even worse. Let's extend the above guardrail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_bedrockagent_guardrail"</span> <span class="s2">"filtering"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticket-agent-guardrail"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Input-only guardrail for toxic language and disallowed topics."</span> <span class="c1">// ...</span> <span class="nx">topic_policy_config</span> <span class="p">{</span> <span class="nx">topics_config</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Financial advice"</span> <span class="nx">definition</span> <span class="p">=</span> <span class="s2">"Requests for personal investment, trading, or financial guidance."</span> <span class="nx">examples</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"Should I buy crypto?"</span><span class="p">,</span> <span class="s2">"Recommend stocks for a quick profit."</span><span class="p">,</span> <span class="s2">"Should I take a loan to buy a house?"</span><span class="p">,</span> <span class="s2">"Should I take a loan to buy a car?"</span><span class="p">,</span> <span class="s2">"Should I consolidate my debt?"</span> <span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"DENY"</span> <span class="p">}</span> <span class="nx">topics_config</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Unauthorized system access"</span> <span class="nx">definition</span> <span class="p">=</span> <span class="s2">"Requests to get information about system vulnerabilities."</span> <span class="nx">examples</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"Which instances have SSH open?"</span><span class="p">,</span> <span class="s2">"How to increase my privileges without submitting a ticket?"</span> <span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"DENY"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Guardrail #3 - PII redaction </h2> <p>I really don't want to deal with leaked PII into our company JIRA boards. Let's say one of the employees is not aware of the risks of writing down credit card details (mostly number). I would like to prevent this from happening into our kanban board.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_bedrockagent_guardrail"</span> <span class="s2">"filtering"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticket-agent-guardrail"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Input-only guardrail for toxic language, disallowed topics and sensitive inputs."</span> <span class="c1">// ...</span> <span class="nx">sensitive_information_policy_config</span> <span class="p">{</span> <span class="nx">pii_entities_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"INTERNATIONAL_BANK_ACCOUNT_NUMBER"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">input_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">output_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">input_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">output_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="p">}</span> <span class="nx">pii_entities_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CREDIT_DEBIT_CARD_CVV"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">input_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">output_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">input_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">output_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="p">}</span> <span class="nx">pii_entities_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CREDIT_DEBIT_CARD_NUMBER"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">input_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">output_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">input_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">output_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="p">}</span> <span class="nx">pii_entities_config</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS_SECRET_KEY"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">input_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">output_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">input_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="nx">output_action</span> <span class="p">=</span> <span class="s2">"ANONYMIZE"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Guardrails Cross-Region inference </h2> <p>For some reason, Guardrails are also offered as an Inference Profile of some sort. Thus I would like to use it. As I set up the Agent in Frankfurt, the only cross-region profile I can use is across-EU. I didn't find any way to list the inference profiles for guardrails, so you have to rely on this hardcoded ARN taken from the console.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_bedrockagent_guardrail"</span> <span class="s2">"filtering"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticket-agent-guardrail"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Input-only guardrail for toxic language, disallowed topics and sensitive inputs."</span> <span class="c1">// ...</span> <span class="nx">cross_region_config</span> <span class="p">{</span> <span class="nx">guardrail_profile_identifier</span> <span class="p">=</span> <span class="s2">"arn:aws:bedrock:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">:guardrail-profile/eu.guardrail.v1:0"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Lastly, I would like to publish a version of this guardrail. As everything in Bedrock, almost each resource is versioned, so are guardrails. The use case is that you want to test a change to it on some development agent before publishing it to production (AWS doesn't know GitFlow and multi-account strategies 😂).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_bedrock_guardrail_version"</span> <span class="s2">"filtering"</span> <span class="p">{</span> <span class="nx">guardrail_arn</span> <span class="p">=</span> <span class="nx">aws_bedrock_guardrail</span><span class="p">.</span><span class="nx">filtering</span><span class="p">.</span><span class="nx">guardrail_arn</span> <span class="p">}</span> </code></pre> </div> <p>Before we mount the guardrail to the Agent, let's test it first with some prompts. I have already tested the insults section and for some reason, the word "bastards" is not picked up even on high sensitivity, thus I had to increase the strength 😅. In testing some responses are blocked because this is just a raw model without Knowledge base or action groups, so it hallucinates random stuff that might contain some "how to get access" hints.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x5wpdi4kfqkd8dp9t3o.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x5wpdi4kfqkd8dp9t3o.jpg" alt="Clean prompt" width="800" height="224"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu8voznyfxcxntm0rfbv3.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu8voznyfxcxntm0rfbv3.jpg" alt="Port 3306 ticket prompt" width="800" height="296"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuwawdz5xjdsv34h01rq6.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuwawdz5xjdsv34h01rq6.jpg" alt="Insult prompt" width="800" height="262"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flqar0r2691e9rdos5a07.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flqar0r2691e9rdos5a07.jpg" alt="Database ticket prompt" width="800" height="241"></a></p> <p>I will now try to apply the guardrails to our agent and somewhat test a bit how is the flow working with it. Maybe the "hacking" ban will be too strict? Who knows. What is also important is to allow the agent's IAM role to use the guardrail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"agent_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"bedrock:InvokeModel"</span><span class="p">,</span> <span class="s2">"bedrock:InvokeModel*"</span><span class="p">,</span> <span class="s2">"bedrock:GetInferenceProfile"</span><span class="p">,</span> <span class="s2">"bedrock:ListInferenceProfiles"</span><span class="p">,</span> <span class="s2">"bedrock:ListTagsForResource"</span><span class="p">,</span> <span class="s2">"bedrock:GetKnowledgeBase"</span><span class="p">,</span> <span class="s2">"bedrock:ListKnowledgeBases"</span><span class="p">,</span> <span class="s2">"bedrock:Retrieve"</span><span class="p">,</span> <span class="s2">"bedrock:RetrieveAndGenerate"</span><span class="p">,</span> <span class="s2">"bedrock:ApplyGuardrail"</span><span class="p">,</span> <span class="s2">"bedrock:GetGuardrail"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="c1">// ... continues</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_bedrockagent_agent"</span> <span class="s2">"ticketagent"</span> <span class="p">{</span> <span class="nx">agent_name</span> <span class="p">=</span> <span class="s2">"ticketagent"</span> <span class="nx">foundation_model</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">inference_profile_arn</span> <span class="nx">agent_resource_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">agent_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_bedrockagent_knowledge_base</span><span class="p">.</span><span class="nx">confluence</span><span class="p">]</span> <span class="nx">prepare_agent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">instruction</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">prompts</span><span class="p">.</span><span class="nx">agent_prompt</span> <span class="nx">guardrail_configuration</span> <span class="p">{</span> <span class="nx">guardrail_identifier</span> <span class="p">=</span> <span class="nx">aws_bedrock_guardrail_version</span><span class="p">.</span><span class="nx">filtering</span><span class="p">.</span><span class="nx">guardrail_arn</span> <span class="nx">guardrail_version</span> <span class="p">=</span> <span class="nx">aws_bedrock_guardrail_version</span><span class="p">.</span><span class="nx">filtering</span><span class="p">.</span><span class="nx">version</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Testing the casual guardrails </h2> <p>I performed some tests after applying the guardrail to the agent. In both cases, the success is dependent on the mood of the agent's model as well as guardrail 😅. Sometimes single words like "database access, my manager will review the permissions" would trip the "hacking" topic, but all in all it looked pretty well. The only thing that turns out doesn't work the way I wanted it to is PII masking. I was sure that when I send a message with credit card number, the input will be filtered and the ticked would contain some redacted fields.</p> <p>No 🙅.</p> <p>What AWS does in this case is to simply echo your message with replaced fields, like if it was coming from the model itself. This is crazy and unexpected. I was sure that it will just clean the message on my input and pass it to the model.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmralybt02eqpr3ula7b.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmralybt02eqpr3ula7b.jpg" alt="Guardrails applied and passed" width="800" height="350"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foiwzm5ewlt1mssmyd2qi.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foiwzm5ewlt1mssmyd2qi.jpg" alt="Guardrails for PII redaction" width="649" height="406"></a></p> <p>One thing that I sill need to change in here is that the date for any access can be arbitrarily long. I can do it in code but there's another feature I would like to try out...</p> <h2> Automated Reasoning checks </h2> <p>It's possible to define the reasoning using JSON and <code>SMT-LIB</code> expressions but that's absolutely crazy to do. What I will use is to write a natural language document, use AWS Console to generate the reasoning tests and import it later with OpenTofu.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzw89ngr5r1s5dhrtijgi.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzw89ngr5r1s5dhrtijgi.jpg" alt="Generating Automated Reasoning Check from text" width="800" height="312"></a></p> <p>Just input set of rules for your agent (such as company guidelines) and wait until it generates. I for example gave the rules to never request access tickets that are longer than 2 years as well as tell agent to always create a ticket for IT on hardware issues instead of guiding the user to fix it themselves.</p> <p>After generation perform manual tests with the button "Generate tests" and answer some questions with thumbs up or thumbs down. This will provide more tests that will check if the ruleset is correct. Create some annotations to update the rules and create more tests.</p> <p>Then in OpenTofu add <code>awscc</code> provider, configure it for your region, create a new file <code>import.tf</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">import</span> <span class="p">{</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">awscc_bedrock_automated_reasoning_policy</span><span class="p">.</span><span class="nx">it_agent_policy</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"arn:aws:bedrock:eu-central-1:123456789012:automated-reasoning-policy/abcdef1234"</span> <span class="p">}</span> </code></pre> </div> <p>Then run <code>tofu plan -generate-config-out=arc.tf</code>. A new file <code>arc.tf</code> will be created but it is not complete unfortunately. Using AWS CLI you can fetch missing IDs and ask AI in your IDE to fix it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">POLICY_ARN</span><span class="o">=</span>arn:aws:bedrock:eu-central-1:123456789012:automated-reasoning-policy/abcdef1234 aws cloudcontrol get-resource <span class="se">\</span> <span class="nt">--type-name</span> <span class="s1">'AWS::Bedrock::AutomatedReasoningPolicy'</span> <span class="se">\</span> <span class="nt">--identifier</span> <span class="nv">$POLICY_ARN</span> <span class="se">\</span> <span class="nt">--output</span> text <span class="se">\</span> <span class="nt">--query</span> ResourceDescription.Properties <span class="se">\</span> | jq <span class="s1">'.PolicyDefinition.Rules[] | {id: .Id, expression: .Expression}'</span> </code></pre> </div> <p>Try first apply to import the changes. They will fail. You have to unfortunately recreate the whole policy with IaC if you want to have it in the Terraform state. Proceed to AWS Console to delete the policy (along with the tests).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fanl8zgwgy1j0e6y7kibn.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fanl8zgwgy1j0e6y7kibn.jpg" alt="Delete the policy" width="800" height="179"></a></p> <p>Now remember to set <code>force_delete = true</code> so that it's easy to delete the policy later on. We also need to create a version of it. Create this block to save a version of reasoning policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"awscc_bedrock_automated_reasoning_policy_version"</span> <span class="s2">"it_agent_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">awscc_bedrock_automated_reasoning_policy</span><span class="p">.</span><span class="nx">it_agent_policy</span><span class="p">.</span><span class="nx">policy_arn</span> <span class="nx">last_updated_definition_hash</span> <span class="p">=</span> <span class="nx">awscc_bedrock_automated_reasoning_policy</span><span class="p">.</span><span class="nx">it_agent_policy</span><span class="p">.</span><span class="nx">definition_hash</span> <span class="p">}</span> </code></pre> </div> <h2> The problems emerge </h2> <p>I wanted here to write a simple instruction how to connect the reasoning checks to the guardrail and test it. However, several problems appeared out of nowhere:</p> <ol> <li> <code>aws_bedrock_guardrail</code> doesn't have a field to add ARC,</li> <li>After simple conversion of <code>aws_bedrock_guardrail</code> to <code>awscc_bedrock_guardrail</code> can't be applied due to <a href="https://github.com/hashicorp/terraform-provider-awscc/issues/2985" rel="noopener noreferrer">a bug I found</a>,</li> <li>Even after doing everything manually, the checks are not applied to the guardrail when interacting with the agent ¯\<em>(ツ)</em>/¯. It always either passes or says it's too complex,</li> <li>Bedrock is a "Production Ready Product™️" 🙄 which means AWS "Best Practices™️" means doing everything in the Console using mouse.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcexzr2na0g0uijtcjdqy.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcexzr2na0g0uijtcjdqy.jpg" alt="Adding reasoning check to the guardrail" width="772" height="276"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwp8skayi7givb0euac3s.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwp8skayi7givb0euac3s.jpg" alt="Select newer Guardrail" width="760" height="379"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscmram8zeeti1blw7gcn.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscmram8zeeti1blw7gcn.jpg" alt="Editing alias" width="800" height="528"></a></p> <h3> Testing ARC </h3> <p>So I will try some prompts that definitely go against the policies defined for reasoning. I will first try to create a normal database ticket, then another one with some date in the far future. Next, I will to troubleshoot my company laptop.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcrr2eu18nf25yxnqnq86.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcrr2eu18nf25yxnqnq86.jpg" alt="Database access tickets" width="800" height="359"></a></p> <p>![Help me fix the laptop]<a href="https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3o8qhekve1cg9rfqjbe6.jpg" rel="noopener noreferrer">https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3o8qhekve1cg9rfqjbe6.jpg</a>)</p> <p>As you see the checks do not do anything to prevent me from going further. The database tickets are simply created for 2035 and the model tries to look for information in the knowledge base for hardware fixes (even though it suggests creating a ticket, this is simply its own creativity, on other tries it just simply says there's nothing in KB to help me).</p> <p>Therefore, I decided to revert any commit related to Automated Reasoning Checks.</p> aws bedrock guardrails Piotr Pabis Tue, 27 Jan 2026 15:26:02 +0000 https://forem.com/aws-builders/it-support-agent-on-aws-bedrock-jira-ticket-tool-2lc9 https://forem.com/aws-builders/it-support-agent-on-aws-bedrock-jira-ticket-tool-2lc9 <p>Today we are going to create the agent that will use our previously created Knowledge Base. It will be able to answer questions about policies and guidelines but also we are going to create some tools to create JIRA tickets on the IT board. If you have already created Atlassian organization and Confluence, you should also get JIRA as well. We can reuse the same credentials as for synchronizing Bedrock with Confluence because they mirror your admin permissions. However remember, that for production use cases you should do the OAuth flow for this use case as well (or use Service Accounts).</p> <p><em>GitHub repository:</em> <a href="https://github.com/ppabis/it-agent-bedrock/tree/v2" rel="noopener noreferrer"><em>ppabis/it-agent-bedrock</em></a>.</p> <p><a href="https://dev.to/aws-builders/it-support-agent-on-aws-bedrock-connecting-confluence-l6i"><em>Back to Part 1</em></a></p> <h2> JIRA ticket templates </h2> <p>I will create two templates for JIRA tickets to see how well our agent will handle this. One type of the ticket would be a generic request to IT and another one will be database access ticket that will have some extra fields. We will later use Lambda to interface with JIRA. But first, let's proceed to JIRA on your Atlassian domain: <code>https://&lt;myorg&gt;.atlassian.net/jira</code>. You can see below a new ticket type that I have created. It is based on one of the documents in Confluence.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fewgrjcii9lsb6mk453v5.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fewgrjcii9lsb6mk453v5.jpg" alt="New Database Access ticket type" width="800" height="362"></a></p> <h2> Interfacing Python with JIRA </h2> <p>In order to create tickets we will naturally use JIRA's API. But we need to get some values from this API first - the project ID and issue types IDs. From the commands below you can see that my project's ID is 10000 (usually the first board you create in JIRA) and, <code>10003</code> and <code>10008</code> ticket types.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"</span><span class="nv">$CONFLUENCE_EMAIL</span><span class="s2">:</span><span class="nv">$CONFLUENCE_TOKEN</span><span class="s2">"</span> <span class="se">\</span> https://&lt;myorg&gt;.atlassian.net/rest/api/3/project/AWS | jq .id <span class="s2">"10000"</span> <span class="nv">$ </span>curl <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"</span><span class="nv">$CONFLUENCE_EMAIL</span><span class="s2">:</span><span class="nv">$CONFLUENCE_TOKEN</span><span class="s2">"</span> <span class="se">\</span> https://&lt;myorg&gt;.atlassian.net/rest/api/3/project/AWS <span class="se">\</span> | jq <span class="s1">'.issueTypes[] | [.id, .name, .description]'</span> <span class="o">[</span> <span class="s2">"10002"</span>, <span class="s2">"Subtask"</span>, <span class="s2">"Subtasks track small pieces of work that are part of a larger task."</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"10003"</span>, <span class="s2">"Task"</span>, <span class="s2">"Tasks track small, distinct pieces of work."</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"10006"</span>, <span class="s2">"Bug"</span>, <span class="s2">"Bugs track problems or errors."</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"10008"</span>, <span class="s2">"Database Access"</span>, <span class="s2">"Ticket if you want to get a website access for your user"</span> <span class="o">]</span> </code></pre> </div> <p>What is more, I would like to get the fields needed to be filled out in each ticket. For each of the chosen ticket types that I want to be supported, I get the field ID, schema, name and if it's required or not.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-u</span> <span class="s2">"</span><span class="nv">$CONFLUENCE_EMAIL</span><span class="s2">:</span><span class="nv">$CONFLUENCE_TOKEN</span><span class="s2">"</span> <span class="se">\</span> https://&lt;myorg&gt;.atlassian.net/rest/api/3/issue/createmeta/10000/issuetypes/10008<span class="s2">" </span><span class="se">\</span><span class="s2"> | jq '.fields[] | {fieldId, name, schema, required}' </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "fieldId": "customfield_10073", "name": "permissions", "schema": { "type": "string", "custom": "com.atlassian.jira.plugin.system.customfieldtypes:textarea", "customId": 10073 } } { "fieldId": "customfield_10074", "name": "Business reason for access", "schema": { "type": "string", "custom": "com.atlassian.jira.plugin.system.customfieldtypes:textarea", "customId": 10074 } } { "fieldId": "customfield_10075", "name": "access_until", "schema": { "type": "date", "custom": "com.atlassian.jira.plugin.system.customfieldtypes:datepicker", "customId": 10075 } } </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5ox8dysq7sv5b6cbi12.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5ox8dysq7sv5b6cbi12.png" alt="Diagram of the Lambda function" width="685" height="323"></a></p> <p>Now based on the retrieved information we can proceed to create a Python function that will create a new JIRA ticket for given type. I will vibe-code it because we are doing GenAI after all, aren't we? I will also ask to generate OpenAPI schema in JSON and separate paths for ticket types. I will also ask it to create some validation functions for the inputs, give correct responses for Bedrock and paste some example event that Bedrock Agent produces. I will skip all the details how this entire script works internally (if you want to read through it, you can <a href="https://github.com/ppabis/it-agent-bedrock/tree/v2/lambdas" rel="noopener noreferrer">go to the Git repository</a>, ideally as an LLM to explain this 😂) but I will simply describe how request and response works. So the incoming payload from Bedrock Agent looks something like this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"messageVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"sessionId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"730335385312952"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inputText"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Yes I need a database ticket for: john.doe and mike.smith the access should be granted until 30 June 2027 for development database with permissions analytics.*=SELECT,SELECT VIEW. The reason for this ticket is that John and Mike are switching department to business intelligence and analytics."</span><span class="p">,</span><span class="w"> </span><span class="nl">"agent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ticketagent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"KGKLDPMDNZ"</span><span class="p">,</span><span class="w"> </span><span class="nl">"alias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"FHAQLR6Q0P"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"actionGroup"</span><span class="p">:</span><span class="w"> </span><span class="s2">"jira_tickets"</span><span class="p">,</span><span class="w"> </span><span class="nl">"httpMethod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/db-ticket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestBody"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"content"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"application/json"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"database_names"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"array"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[development]"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_list"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"john.doe</span><span class="se">\n</span><span class="s2">mike.smith"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">more</span><span class="w"> </span><span class="err">of</span><span class="w"> </span><span class="err">these</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"sessionAttributes"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"promptSessionAttributes"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>So as you see, we get Agent that called our Lambda, the actual input given by the user that triggered the tool call and some other things. But what we need to focus on is <code>apiPath</code> that specifies the type of ticket that we want to create as well as <code>requestBody</code> that contains the values that we need to first, validate, and second, post to JIRA. But how does the agent know what to write in the request body? This comes from OpenAPI specification that I also asked the LLM to generate along with the Lambda code. This is a small excerpt from the file as a sample (converted to YAML for readability 😅). We will load this file later when creating the action group.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">openapi</span><span class="pi">:</span> <span class="s">3.0.0</span> <span class="na">info</span><span class="pi">:</span> <span class="na">title</span><span class="pi">:</span> <span class="s">Jira Ticket API</span> <span class="na">version</span><span class="pi">:</span> <span class="s">1.0.0</span> <span class="na">description</span><span class="pi">:</span> <span class="s">API for creating Jira tickets</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">/db-ticket</span><span class="pi">:</span> <span class="na">post</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Create a database access request ticket in Jira</span> <span class="na">operationId</span><span class="pi">:</span> <span class="s">createDbTicket</span> <span class="na">requestBody</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">content</span><span class="pi">:</span> <span class="na">application/json</span><span class="pi">:</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">object</span> <span class="na">required</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">summary</span><span class="pi">,</span> <span class="nv">database_names</span><span class="pi">,</span> <span class="nv">user_list</span><span class="pi">,</span> <span class="nv">permissions</span><span class="pi">,</span> <span class="nv">business_reason</span><span class="pi">,</span> <span class="nv">access_until</span><span class="pi">]</span> <span class="na">properties</span><span class="pi">:</span> <span class="na">database_names</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">array</span> <span class="na">items</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">description</span><span class="pi">:</span> <span class="s">List of database names (production, staging, development)</span> <span class="c1"># ... more fields</span> <span class="na">responses</span><span class="pi">:</span> <span class="s1">'</span><span class="s">200'</span><span class="err">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Successful response</span> <span class="na">content</span><span class="pi">:</span> <span class="na">application/json</span><span class="pi">:</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">object</span> <span class="na">properties</span><span class="pi">:</span> <span class="na">message</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">/generic-ticket</span><span class="pi">:</span> <span class="na">post</span><span class="pi">:</span> <span class="c1"># ... another type of ticket</span> </code></pre> </div> <p>In Python I parse such input, route to the correct path for the requested ticket and respond in the expected format. I also print all the values to the logs and log a lot. This helps with observability and continuous improvement. In production, you would need also to take care of PII removal from events being sent here (unless you filter input with Guardrails).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Entry point for the Lambda: route requests based on the API path.</span><span class="sh">"""</span> <span class="nf">print</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">event</span><span class="p">))</span> <span class="n">api_path</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">apiPath</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">api_path</span> <span class="o">==</span> <span class="sh">"</span><span class="s">/db-ticket</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">route_db_ticket</span><span class="p">(</span><span class="n">event</span><span class="p">)</span> <span class="k">elif</span> <span class="n">api_path</span> <span class="o">==</span> <span class="sh">"</span><span class="s">/generic-ticket</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">route_generic_ticket</span><span class="p">(</span><span class="n">event</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">error_body</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Unsupported route: </span><span class="si">{</span><span class="n">api_path</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">_bedrock_agent_response</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="mi">400</span><span class="p">,</span> <span class="n">error_body</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">response</span><span class="p">))</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>To format the output, this helper function is used. It just copies over some of the input event values and tries to format the response as JSON string. For example I raise errors on input validation issues or JIRA responses and the messages are both printed into the logs and given to the chatbot so that it can retry with a fixed input. Here you should also consider if exceptions that are raised contain some sensitive information as you don't want to give and details such as API Keys to the user 🫠.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_bedrock_agent_response</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">status_code</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Wrap an HTTP response in the Bedrock agent response schema.</span><span class="sh">"""</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">messageVersion</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">response</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">actionGroup</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">actionGroup</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">db-ticket-tools</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">apiPath</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">apiPath</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/db-ticket</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">httpMethod</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">httpMethod</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">httpStatusCode</span><span class="sh">"</span><span class="p">:</span> <span class="n">status_code</span><span class="p">,</span> <span class="sh">"</span><span class="s">responseBody</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">body</span><span class="p">)}},</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>Before we can deploy our Lambda function we would need to also install all the dependencies inside it. For example, I use <code>requests</code> as the library to call the API which is not included in standard Lambda distribution. To fix that, I use Amazon Linux 2023 Docker and install <code>requests</code> with pip. Here's a one-liner that does exactly that (assuming that you hold all Lambda code in <code>lambdas/</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="se">\</span> <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>/lambdas:/lambdas <span class="se">\</span> amazonlinux:2023 sh <span class="nt">-c</span> <span class="se">\</span> <span class="s1">'yum install python3-pip -y &amp;&amp; pip install -t /lambdas/ requests'</span> </code></pre> </div> <h2> Deploying Lambda in Terraform </h2> <p>Now I want to create an actual Lambda function infrastructure. We first need to put all the code and dependencies in an archive as usual and then we also need to define an IAM Role. The Role will have two policies for me: basic execution one to collect the logs and Secrets Manager to reuse the Confluence credentials we created in the first part.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">### Code</span> <span class="k">data</span> <span class="s2">"archive_file"</span> <span class="s2">"ticket_lambda"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"lambdas/"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"tickets_lambda.zip"</span> <span class="p">}</span> <span class="c1">### Permissions</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"lambda_assume_role"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"lambda_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secretsmanager:GetSecretValue"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">confluence</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Decrypt"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringLike"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"kms:ViaService"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secretsmanager.</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ticket_lambda_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticket_lambda_role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">lambda_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"lambda_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticket_lambda_policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ticket_lambda_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">lambda_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_logs"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ticket_lambda_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> </code></pre> </div> <p>Now we can create the Lambda itself. What I would also do (although I don't know if it's required) is grant Bedrock service permissions to call this Lambda using resource policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"ticket_lambda"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"ticket_lambda"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ticket_lambda_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"lambda_handler.lambda_handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.13"</span> <span class="nx">filename</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">ticket_lambda</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">ticket_lambda</span><span class="p">.</span><span class="nx">output_base64sha256</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_role_policy</span><span class="p">.</span><span class="nx">lambda_policy</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"allow_bedrock"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowBedrockInvocation"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">ticket_lambda</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"bedrock.amazonaws.com"</span> <span class="nx">source_arn</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">ticketagent</span><span class="p">.</span><span class="nx">agent_arn</span> <span class="p">}</span> </code></pre> </div> <h2> Building Bedrock Agent </h2> <p>First, what our Agent needs is an IAM role to get permissions. First of all, I plan to attach the Knowledge Base, so we need that. The Agent also needs some model (or inference profile) to invoke. And lastly, it should be able to invoke the Lambda function that we just created.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"agent_assume_role"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"bedrock.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"agent_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-agent-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">agent_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"agent_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"bedrock:InvokeModel"</span><span class="p">,</span> <span class="s2">"bedrock:InvokeModel*"</span><span class="p">,</span> <span class="s2">"bedrock:GetInferenceProfile"</span><span class="p">,</span> <span class="s2">"bedrock:ListInferenceProfiles"</span><span class="p">,</span> <span class="s2">"bedrock:ListTagsForResource"</span><span class="p">,</span> <span class="s2">"bedrock:GetKnowledgeBase"</span><span class="p">,</span> <span class="s2">"bedrock:ListKnowledgeBases"</span><span class="p">,</span> <span class="s2">"bedrock:Retrieve"</span><span class="p">,</span> <span class="s2">"bedrock:RetrieveAndGenerate"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda:InvokeFunction"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">ticket_lambda</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"agent_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-agent-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">agent_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">agent_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>I chose region <code>eu-central-1</code> and unfortunately the model choice here is quite small. AWS provides us with so called Inference Profiles. You have probably heard about cross-region inference (as one of the shiny features ✨) and these Profiles are exactly used for that. You can list them and see regions covered by them using AWS Console (in "Cross-region inference" section) or using the following CLI Command: <code>aws bedrock list-inference-profiles --region eu-central-1</code>. In Terraform, I will use a data source and filter by name to find the profile I want to use which is cross-EU Amazon Nova 2 Lite.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>data "aws_bedrock_inference_profiles" "profiles" { type = "SYSTEM_DEFINED" } locals { inference_profile_arn = [ for profile in data.aws_bedrock_inference_profiles.profiles.inference_profile_summaries : profile.inference_profile_arn if strcontains(profile.inference_profile_name, "Nova 2 Lite") &amp;&amp; strcontains(profile.inference_profile_name, "EU") ][0] } </code></pre> </div> <p>For the agent, we also need to create a system prompt that will be passed into it. We can use Bedrock Prompts to manage it but here I will use just a simple YAML file that will be also loaded as a local constant. In the agent construction I defined <code>prepare_agent</code> to true, so that we can test it almost immediately. Why is this step needed? Thank you for using Amazon Bedrock.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">knowledge_base_description</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">Knowledge base of the company with all needed IT knowledge, troubleshooting guides, standards, policies, rules, etc.</span> <span class="na">agent_prompt</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">You are an IT specialist in a company called Acme. You are responsible for helping the users with their IT questions and issues.</span> <span class="s">You are using the knowledge base to provide company information and help the users. You can also validate the ticket formats against company</span> <span class="s">policies and standards and create JIRA tickets with the provided tools.</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">prompts</span> <span class="p">=</span> <span class="nx">yamldecode</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"prompts.yaml"</span><span class="p">))</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_bedrockagent_agent"</span> <span class="s2">"ticketagent"</span> <span class="p">{</span> <span class="nx">agent_name</span> <span class="p">=</span> <span class="s2">"ticketagent"</span> <span class="nx">foundation_model</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">inference_profile_arn</span> <span class="nx">agent_resource_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">agent_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_bedrockagent_knowledge_base</span><span class="p">.</span><span class="nx">confluence</span><span class="p">]</span> <span class="nx">prepare_agent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">instruction</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">prompts</span><span class="p">.</span><span class="nx">agent_prompt</span> <span class="p">}</span> </code></pre> </div> <p>Next, I will associate the Knowledge Base with the Agent so that it can answer our questions about the company and all the troubleshooting guides that we store in Confluence. What is more, I want to also added the tools: Lambda for creating tickets as well as built-in "user input" tool that just permits the agent to write follow up questions to the user (although from experience, LLM with either way ask me again for clarification without that too 🤷). This is the place where we attach the OpenAPI schema. In all "action groups" (tools) you create, you need to specify <code>DRAFT</code> version of the agent.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_bedrockagent_agent_knowledge_base_association"</span> <span class="s2">"confluence"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">ticketagent</span><span class="p">.</span><span class="nx">id</span> <span class="nx">knowledge_base_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_knowledge_base</span><span class="p">.</span><span class="nx">confluence</span><span class="p">.</span><span class="nx">id</span> <span class="nx">knowledge_base_state</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">ticketagent</span><span class="p">,</span> <span class="nx">aws_bedrockagent_knowledge_base</span><span class="p">.</span><span class="nx">confluence</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">prompts</span><span class="p">.</span><span class="nx">knowledge_base_description</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_bedrockagent_agent_action_group"</span> <span class="s2">"jira_tickets"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">ticketagent</span><span class="p">.</span><span class="nx">id</span> <span class="nx">agent_version</span> <span class="p">=</span> <span class="s2">"DRAFT"</span> <span class="nx">action_group_state</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="nx">action_group_name</span> <span class="p">=</span> <span class="s2">"jira_tickets"</span> <span class="nx">action_group_executor</span> <span class="p">{</span> <span class="nx">lambda</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">ticket_lambda</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">api_schema</span> <span class="p">{</span> <span class="nx">payload</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"lambdas/tool_schema.json"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_bedrockagent_agent_action_group"</span> <span class="s2">"user_input"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">ticketagent</span><span class="p">.</span><span class="nx">id</span> <span class="nx">agent_version</span> <span class="p">=</span> <span class="s2">"DRAFT"</span> <span class="nx">action_group_name</span> <span class="p">=</span> <span class="s2">"AskUserAction"</span> <span class="nx">action_group_state</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="nx">parent_action_group_signature</span> <span class="p">=</span> <span class="s2">"AMAZON.UserInput"</span> <span class="p">}</span> </code></pre> </div> <p>As the last step, I would like to create an alias for the Agent, which means it will be usable in our applications. This will ensure that all the action groups and knowledge base are connected. It will also publish a new version of the Agent. If you ever need to create another version, simply use <code>tofu taint</code> on this production alias and apply again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_bedrockagent_agent_alias"</span> <span class="s2">"production"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">ticketagent</span><span class="p">.</span><span class="nx">id</span> <span class="nx">agent_alias_name</span> <span class="p">=</span> <span class="s2">"ticketagent-production"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_bedrockagent_agent_knowledge_base_association</span><span class="p">.</span><span class="nx">confluence</span><span class="p">,</span> <span class="nx">aws_bedrockagent_agent_action_group</span><span class="p">.</span><span class="nx">jira_tickets</span><span class="p">,</span> <span class="nx">aws_bedrockagent_agent_action_group</span><span class="p">.</span><span class="nx">user_input</span> <span class="p">]</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"agent_alias"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent_alias</span><span class="p">.</span><span class="nx">production</span><span class="p">.</span><span class="nx">agent_alias_arn</span> <span class="p">}</span> </code></pre> </div> <h2> Testing the agent </h2> <p>I used AWS Console to test the agent. I opened the newly created alias and expanded the chat in the top right for convenience. This also allows to see the trace of each action taken by the agent, whether it is reading from knowledge base, thinking or calling actions.</p> <p>The first test I performed was to ask about IT department. I already did this when testing the Knowledge Base and the results were correct but the scores were very off compared to the random question about ducks (0.40 vs 0.36). This is supposed to be fixable by a reranker model (but the quotas on it are ridiculously low).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmgqrg1fxmxibn2sdc9v.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsmgqrg1fxmxibn2sdc9v.jpg" alt="Scores for IT department location" width="800" height="235"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2flijpdaz4m6vwom8tbv.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2flijpdaz4m6vwom8tbv.jpg" alt="Scores for ducks question" width="800" height="143"></a></p> <p>Next one was to test ticket creation. I have easily created the database ticket and the agent even followed up on more details. Although as you can see in the screenshot, sometimes Nova 2 Lite leaves some artifacts (the default temperature seems to be set to <code>1.0</code> by default but this can be edited in "advanced" orchestration settings).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhw7ldstnxl3hn1pqmz5x.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhw7ldstnxl3hn1pqmz5x.jpg" alt="DB access ticket was created" width="800" height="332"></a></p> <p>Lastly, I wanted to test creation of a generic ticket. This time I wanted to push through some insult so that we can test guardrails later on. I was sure that Nova was fine-tuned to prevent such requests but it actually did follow my order.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd0d6iiws9wrdl57xvzgp.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd0d6iiws9wrdl57xvzgp.jpg" alt="Generic insulting ticket" width="800" height="306"></a></p> bedrock lambda aws agents Piotr Pabis Sun, 25 Jan 2026 11:35:40 +0000 https://forem.com/aws-builders/it-support-agent-on-aws-bedrock-connecting-confluence-l6i https://forem.com/aws-builders/it-support-agent-on-aws-bedrock-connecting-confluence-l6i <p>GenAI Developer Pro exam is coming with big, loud steps and instead of reading through AI slop on SkillBuilder that even ChatGPT can't comprehend, I decided to learn through experience by building. My goal is to create an AI Agent that will act as IT support for a fake company Acme. As the first step I would like to create a Bedrock Knowledge Base that will be connected to Atlassian Confluence. That way we will prepare our support agent to act as a simple chatbot to find relevant troubleshooting guides and company policies stored on Confluence. This way when a colleague comes to the chat interface and asks "How can I connect to company VPN", the chatbot will search through all the documents stored in Confluence and give an answer that for example "You need to use WireGuard, generate key pair, provide public key to IT and they will send back you a configuration, here's how to do it step by step...".</p> <p><em>You can find the code on GitHub:</em> <a href="https://github.com/ppabis/it-agent-bedrock/tree/v1" rel="noopener noreferrer"><em>ppabis/it-agent-bedrock</em></a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbp0dfdgkg67qstevjyxv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbp0dfdgkg67qstevjyxv.png" alt="Diagram of current setup" width="563" height="281"></a></p> <h2> Creating Confluence </h2> <p>Atlassian gives you some small free tier of their cloud services (which includes JIRA, Trello, Confluence, Bitbucket). Just sign up for an account if you don't have one (if you ever used any of the above services, you already have an Atlassian account, so you just need to create Confluence instance). Visit <a href="https://www.atlassian.com" rel="noopener noreferrer">atlassian.com</a> and after you have an account proceed to <a href="https://www.atlassian.com/software/confluence" rel="noopener noreferrer">Confluence</a>. Click "Get it free" at the top and choose your <code>&lt;myname&gt;.atlassian.net</code> domain. Once you are onboarded, you can visit that new address any time and switch to the Confluence by clicking on the top left (4 squares) and selecting "Confluence".</p> <p>Customize the wiki however you want. I won't guide you here how to use Confluence as it's a large software on it's own but explore it and create some Pages that you can reference later with a chatbot. I asked ChatGPT to generate me some IT documents, some more general, some more technical and created some pages. In one Page I also "hid" where the IT room is so I wonder if our Knowledge Base will be able to retrieve it from an unrelated document.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgre9umcxvjrzmo9fv7om.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgre9umcxvjrzmo9fv7om.png" alt="Content in Confluence" width="800" height="302"></a></p> <h2> Creating credentials </h2> <p>After you have already played around with Confluence we will generate an API key. As an administrator of the Atlassian organization go to your personal account settings in the top-right corner, then Security and Manage API tokens. It will likely ask you for 2FA.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frnkr4fc7jlzdedvz9jm3.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frnkr4fc7jlzdedvz9jm3.jpg" alt="Go to your account security" width="800" height="149"></a></p> <p>Next select "Create API token". I tried using the one with scopes but with the setup I have but I believe it works only with OAuth and not Basic HTTP credentials I plan to use. For production use cases, you should definitely use OAuth but for this demo, we will just rely on the key that has <strong>full permissions</strong> on your account. You can read more <a href="https://docs.aws.amazon.com/bedrock/latest/userguide/confluence-data-source-connector.html#configuration-confluence-connector" rel="noopener noreferrer">about OAuth setup here</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2rgvrrx7xum0oqncf68.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa2rgvrrx7xum0oqncf68.png" alt="Create API token" width="720" height="154"></a></p> <h2> Base infrastructure </h2> <p>We are going to build our infrastructure in OpenTofu. I will first import two providers: <code>aws</code> and <code>null</code> and create some variables and a new secret in Secrets Manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 6.0"</span> <span class="p">}</span> <span class="kc">null</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/null"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"confluence_username"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"confluence_password"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_secretsmanager_secret"</span> <span class="s2">"confluence"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"confluence"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Confluence credentials"</span> <span class="nx">recovery_window_in_days</span> <span class="p">=</span> <span class="mi">7</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_secretsmanager_secret_version"</span> <span class="s2">"confluence"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">confluence</span><span class="p">.</span><span class="nx">id</span> <span class="nx">secret_string</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">username</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">confluence_username</span> <span class="nx">password</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">confluence_password</span> <span class="p">})</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">secret_string</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can set it up in the following way: the e-mail can be stored in <code>terraform.tfvars</code> safely: this is the e-mail you are registered in Atlassian as. For the API token I recommend running the following Bash commands, pasting the token and only then applying the infrastructure. Because I added <code>ignore_changes</code> to the secret version, Terraform will not ask you again for the token and it won't be stored anywhere.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">read</span> <span class="nt">-s</span> TF_VAR_confluence_password <span class="c"># after running immediately paste the token and press enter</span> <span class="nb">export </span>TF_VAR_confluence_password tofu apply <span class="nb">export </span><span class="nv">TF_VAR_confluence_password</span><span class="o">=</span><span class="s2">"undefined"</span> <span class="c"># So it doesn't ask again</span> </code></pre> </div> <p>That way we have stored credentials in AWS Secrets Manager so that later on, Bedrock will be able to use them for crawling.</p> <h2> Creating OpenSearch backend </h2> <p>As our underlying storage for processed text chunks from the wiki we need to use OpenSearch Serverless. Unfortunately, it is a costly service that you pay even for not using (and pay a lot for a <em>serverless</em> offering) so be cautious. I don't know if AWS will ever support S3 Vector Buckets that are way more reasonably priced. Let's start by defining an OpenSearch policies because without them, you will have hard time creating anything in this service 🙄. Because encryption policy has to be defined <strong>before</strong> creating the collection, it cannot depend on it so we will define the new collection name in advance in locals (unless you already have something in place like encryption policy with <code>*</code>). Apply this so we can continue.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">collection_name</span> <span class="p">=</span> <span class="s2">"ticketagent-collection"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_opensearchserverless_security_policy"</span> <span class="s2">"encryption"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-encryption"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"encryption"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"collection/</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">collection_name</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">ResourceType</span> <span class="p">=</span> <span class="s2">"collection"</span> <span class="p">}</span> <span class="p">],</span> <span class="nx">AWSOwnedKey</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Now after we have the encryption policy we can define the collection and other two policies: network and data access. Network defines if the collection is public and which <strong>private</strong> IPs can access it if you lock it down into VPC as well as AWS services permitted to connect and data access is something like resource policy on S3 bucket defining actions that can be taken by IAM principals.</p> <p>Because we will need access just in a minute, I will open the OpenSearch collection to the public (as there's no public IP restriction list 😵‍💫). Also I will give my current user that executes OpenTofu permissions to manage all data within the collection. And the collection itself will be of type <code>VECTORSEARCH</code> and no replicas 🫠.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">resource</span> <span class="s2">"aws_opensearchserverless_collection"</span> <span class="s2">"knowledge_base"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-collection"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"OpenSearch Serverless collection powering the Bedrock KB"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_opensearchserverless_security_policy</span><span class="p">.</span><span class="nx">encryption</span><span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"VECTORSEARCH"</span> <span class="nx">standby_replicas</span> <span class="p">=</span> <span class="s2">"DISABLED"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_opensearchserverless_security_policy"</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-network"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"network"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="c1"># SourceServices = ["bedrock.amazonaws.com"],</span> <span class="nx">Rules</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">ResourceType</span> <span class="p">=</span> <span class="s2">"collection"</span><span class="p">,</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"collection/</span><span class="k">${</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="p">}],</span> <span class="nx">AllowFromPublic</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_opensearchserverless_access_policy"</span> <span class="s2">"data_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-data-policy"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"data"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">Description</span> <span class="p">=</span> <span class="s2">"Full access"</span> <span class="nx">Rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">ResourceType</span> <span class="p">=</span> <span class="s2">"collection"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"collection/</span><span class="k">${</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">Permission</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aoss:*"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">ResourceType</span> <span class="p">=</span> <span class="s2">"index"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"index/</span><span class="k">${</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">/*"</span><span class="p">]</span> <span class="nx">Permission</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aoss:*"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">ResourceType</span> <span class="p">=</span> <span class="s2">"model"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"model/</span><span class="k">${</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">/*"</span><span class="p">]</span> <span class="nx">Permission</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aoss:*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">[</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> </code></pre> </div> <h2> Creating index in OpenSearch </h2> <p>When you use AWS Console, there's some magic happening in the background that the index is being created in OpenSearch collection. Somehow Bedrock is not smart enough to create the collection by itself and you have to do it for it. You might think about another Terraform resource, don't you? WRONG ❌. Even though there's AWS CLI command to create and delete an index, there's no IaC construct doing it anywhere. No CloudFormation, no Terraform, no CDK, nothing. (Still think new Elastic license was so bad?) So we will use <code>null</code> resource to create the index using AWS CLI. For the index we need a good schema, so I will define some locals as well for better control.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">index_name</span> <span class="p">=</span> <span class="s2">"ticketagent_index"</span> <span class="nx">vector_dimension</span> <span class="p">=</span> <span class="mi">256</span> <span class="nx">vector_text_field</span> <span class="p">=</span> <span class="s2">"chunk"</span> <span class="nx">vector_metadata_field</span> <span class="p">=</span> <span class="s2">"metadata"</span> <span class="nx">vector_field</span> <span class="p">=</span> <span class="s2">"vector"</span> <span class="nx">schema</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">settings</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">index</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">knn</span> <span class="p">=</span> <span class="kc">true</span> <span class="s2">"knn.algo_param.ef_search"</span> <span class="err">:</span> <span class="mi">512</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">mappings</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">vector_field</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"knn_vector"</span> <span class="nx">dimension</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">vector_dimension</span> <span class="nx">method</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"hnsw"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"faiss"</span> <span class="nx">parameters</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">space_type</span> <span class="p">=</span> <span class="s2">"l2"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">vector_text_field</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"text"</span> <span class="nx">index</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="s2">"</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">vector_metadata_field</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"text"</span> <span class="nx">index</span> <span class="p">=</span> <span class="s2">"false"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Let me explain to you what is happening above. First we configure the vector dimensions - for each text chunk (200 or 300 tokens or words), we generate a vector of size 256 using an embedding model. This vector will hold semantic meaning of this text fragment. If you didn't understand, let me send you <a href="https://hesamation-primer-llm-embedding.static.hf.space/index.html#embeddings_in_modern_llms" rel="noopener noreferrer">to huggingface 🤗</a>. Continuing, I chose my own names for each field in OpenSearch: <code>vector</code> for the vector (we can assume it's the primary key), <code>chunk</code> for the text piece from Confluence and <code>metadata</code> for some Bedrock info like URL of the page scanned, date and time and so on. I will turn of indexing on metadata as we will primarily do queries by <code>vector</code> or maybe <code>chunk</code>. You might want to ask what are the other things in the JSON. <code>hnsw</code> is vector indexing method that puts the index into memory and is fast. As we don't have that much data in Confluence we can easily use that. If we had a lot of text, we might consider <code>ivf</code> method because this one is memory efficient but slow. As an engine we use <code>faiss</code> which stands for... Facebook AI Similarity Search (very scientific name, rite?). And for comparison we use <code>l2</code> which is Euclidean distance (aka literal distance between two points in a straight line). Some say <code>cosinesimil</code> (which is angle between two points) is more reliable but I will just stay with that 🤷. If you want to learn more about all the configurations for vector search <a href="https://docs.opensearch.org/latest/mappings/supported-field-types/knn-methods-engines/" rel="noopener noreferrer">see here</a>.</p> <p>Ok, we have the JSON for the schema, we have collection, we can now create the index with AWS CLI. It might happen that this fails if you apply it all together with the creation of the policies, and if so, try applying again. The index will be recreated each time you destroy/create the collection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_region"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"index"</span> <span class="p">{</span> <span class="k">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws opensearchserverless create-index --region </span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2"> --id </span><span class="k">${</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">.</span><span class="nx">id</span><span class="k">}</span><span class="s2"> --index-name </span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">index_name</span><span class="k">}</span><span class="s2"> --index-schema '</span><span class="k">${</span><span class="kd">local</span><span class="p">.</span><span class="nx">schema</span><span class="k">}</span><span class="s2">'"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">,</span> <span class="nx">aws_opensearchserverless_access_policy</span><span class="p">.</span><span class="nx">data_policy</span><span class="p">,</span> <span class="nx">aws_opensearchserverless_security_policy</span><span class="p">.</span><span class="nx">network</span><span class="p">]</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">replace_triggered_by</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Bedrock Knowledge Base (and IAM Role) </h2> <p>Finally, we can create the actual Knowledge Base that will connect to and pull data from Confluence. It will need an IAM Role to use OpenSearch and get the credentials and we will define it first.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"bedrock_kb_assume_role"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"bedrock.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"bedrock_kb_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-bedrock-kb-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">bedrock_kb_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"bedrock_kb_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secretsmanager:GetSecretValue"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">confluence</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Decrypt"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringLike"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"kms:ViaService"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secretsmanager.</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"bedrock:InvokeModel"</span><span class="p">,</span> <span class="s2">"bedrock:StartIngestionJob"</span><span class="p">,</span> <span class="s2">"bedrock:CreateDataSource"</span><span class="p">,</span> <span class="s2">"bedrock:GetDataSource"</span><span class="p">,</span> <span class="s2">"bedrock:DescribeKnowledgeBase"</span><span class="p">,</span> <span class="s2">"bedrock:Retrieve"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aoss:APIAccessAll"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"bedrock_kb_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-bedrock-kb-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">bedrock_kb_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">bedrock_kb_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>Next we need to allow this role in OpenSearch'es Data Policy. Let's go back to it and add another principal.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_opensearchserverless_access_policy"</span> <span class="s2">"data_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-data-policy"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"data"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">[</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">bedrock_kb_role</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p>Now we can create the Knowledge Base and data source that will use Confluence. We need to also choose an embedding model. I will simply use Titan v2. I will refer to all the locals we defined during index creation so that every value matches.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">embedding_model_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:bedrock:</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">::foundation-model/amazon.titan-embed-text-v2:0"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_bedrockagent_knowledge_base"</span> <span class="s2">"confluence"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">null_resource</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-confluence-kb"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">bedrock_kb_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Confluence knowledge base backed by OpenSearch Serverless."</span> <span class="nx">knowledge_base_configuration</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"VECTOR"</span> <span class="nx">vector_knowledge_base_configuration</span> <span class="p">{</span> <span class="nx">embedding_model_arn</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">embedding_model_arn</span> <span class="nx">embedding_model_configuration</span> <span class="p">{</span> <span class="nx">bedrock_embedding_model_configuration</span> <span class="p">{</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">vector_dimension</span> <span class="nx">embedding_data_type</span> <span class="p">=</span> <span class="s2">"FLOAT32"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">storage_configuration</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"OPENSEARCH_SERVERLESS"</span> <span class="nx">opensearch_serverless_configuration</span> <span class="p">{</span> <span class="nx">collection_arn</span> <span class="p">=</span> <span class="nx">aws_opensearchserverless_collection</span><span class="p">.</span><span class="nx">knowledge_base</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">vector_index_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">index_name</span> <span class="nx">field_mapping</span> <span class="p">{</span> <span class="nx">vector_field</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">vector_field</span> <span class="nx">text_field</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">vector_text_field</span> <span class="nx">metadata_field</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">vector_metadata_field</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In data source we need to provide the Secrets Manager's secret and URL of the Atlassian organization you have created at the beginning. That should be something like <code>&lt;my_org&gt;.atlassian.net</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"confluence_instance_url"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Base URL for the Confluence Cloud site (e.g. https://org.atlassian.net)."</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_bedrockagent_data_source"</span> <span class="s2">"confluence"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ticketagent-confluence-source"</span> <span class="nx">knowledge_base_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_knowledge_base</span><span class="p">.</span><span class="nx">confluence</span><span class="p">.</span><span class="nx">id</span> <span class="nx">data_source_configuration</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CONFLUENCE"</span> <span class="nx">confluence_configuration</span> <span class="p">{</span> <span class="nx">source_configuration</span> <span class="p">{</span> <span class="nx">host_url</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">confluence_instance_url</span> <span class="nx">host_type</span> <span class="p">=</span> <span class="s2">"SAAS"</span> <span class="nx">auth_type</span> <span class="p">=</span> <span class="s2">"BASIC"</span> <span class="nx">credentials_secret_arn</span> <span class="p">=</span> <span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">confluence</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Syncing and testing the knowledge base </h2> <p>You can now sync the knowledge base and test retrieval, either using AWS Console or AWS CLI. You can also put some filters when querying. For example I want to just retrieve chunks of type <code>Page</code> and max results of 3.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3l74y2jbe6vik1upa3oj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3l74y2jbe6vik1upa3oj.png" alt="Knowledge base sync in AWS Console" width="800" height="255"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws bedrock-agent start-ingestion-job <span class="se">\</span> <span class="nt">--knowledge-base-id</span> <span class="si">$(</span>tofu output <span class="nt">-raw</span> knowledge_base_id<span class="si">)</span> <span class="se">\</span> <span class="nt">--data-source-id</span> <span class="si">$(</span>tofu output <span class="nt">-raw</span> data_source_id | <span class="nb">cut</span> <span class="nt">-d</span>, <span class="nt">-f1</span><span class="si">)</span> aws bedrock-agent list-ingestion-jobs <span class="se">\</span> <span class="nt">--knowledge-base-id</span> <span class="si">$(</span>tofu output <span class="nt">-raw</span> knowledge_base_id<span class="si">)</span> <span class="se">\</span> <span class="nt">--data-source-id</span> <span class="si">$(</span>tofu output <span class="nt">-raw</span> data_source_id | <span class="nb">cut</span> <span class="nt">-d</span>, <span class="nt">-f1</span><span class="si">)</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'ingestionJobSummaries[].[ingestionJobId,status]'</span> <span class="se">\</span> <span class="nt">--output</span> table <span class="c"># Wait until all jobs are COMPLETE</span> aws bedrock-agent-runtime retrieve <span class="se">\</span> <span class="nt">--knowledge-base-id</span> <span class="si">$(</span>tofu output <span class="nt">-raw</span> knowledge_base_id<span class="si">)</span> <span class="se">\</span> <span class="nt">--retrieval-query</span> <span class="s2">"text=How to connect to VPN"</span> <span class="c"># Responds with some JSONs</span> <span class="c"># Add filtering and max results</span> <span class="nv">FILTER_JSON</span><span class="o">=</span><span class="s1">'{ "vectorSearchConfiguration": { "numberOfResults": 3, "filter": { "equals": { "key": "x-amz-bedrock-kb-category", "value": "Page" } } } }'</span> aws bedrock-agent-runtime retrieve <span class="se">\</span> <span class="nt">--knowledge-base-id</span> <span class="si">$(</span>tofu output <span class="nt">-raw</span> knowledge_base_id<span class="si">)</span> <span class="se">\</span> <span class="nt">--retrieval-query</span> <span class="s2">"text=How to connect to VPN"</span> <span class="se">\</span> <span class="nt">--retrieval-configuration</span> <span class="s2">"</span><span class="nv">$FILTER_JSON</span><span class="s2">"</span> </code></pre> </div> <h2> Going further </h2> <p>In the next part we will implement a helpful agent that will answer our queries and maybe create a first tool for this agent to take some actions. I believe your today's adventure with OpenSearch Serverless was more than enough.</p> bedrock atlassian agents rag Piotr Pabis Tue, 13 Jan 2026 13:06:14 +0000 https://forem.com/ppabis/serverless-picture-gallery-on-google-cloud-part-3-24k1 https://forem.com/ppabis/serverless-picture-gallery-on-google-cloud-part-3-24k1 <p>In the previous episode we created a function that was triggered when a new object was uploaded to the temporary bucket. In this part, we are going to process each image with Gemini Nano Banana to make it look like Cyberpunk (or whatever else you imagine in your prompt). Each processed image will be placed into the main bucket and all the metadata will be kept in Firestore database. Then the index of the site is going to list all the images based on the entries in the database.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudoqzxdfwuctnemp65um.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fudoqzxdfwuctnemp65um.png" alt="Diagram focusing on Vertex AI and Firestore"></a></p> <p><em>GitHub repo:</em> <a href="https://github.com/ppabis/gcp-photos-gallery" rel="noopener noreferrer"><em>ppabis/gcp-photos-gallery</em></a></p> <p><a href="https://dev.to/ppabis/serverless-picture-gallery-on-google-cloud-part-1-5c0n"><em>Back to part 1</em></a> <a href="https://dev.to/ppabis/serverless-picture-gallery-on-google-cloud-part-2-57mc"><em>Back to part 2</em></a></p> <h2> Creating a Firestore database </h2> <p>Most logical step is to first create a Firestore database. We will be using it in native mode as this is more modern than the datastore one and we don't need MongoDB compatibility with Enterprise edition. Native mode will look either way similar to Mongo as you create collections there as well compared to "kinds" in Datastore. Also in advance we will give permissions for our Service Accounts from both Cloud Run services to interact with this database - the function will have write permissions and the index website will have only read permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_firestore_database"</span> <span class="s2">"photos_db"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"photos-db"</span> <span class="nx">location_id</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"FIRESTORE_NATIVE"</span> <span class="nx">delete_protection_state</span> <span class="p">=</span> <span class="s2">"DELETE_PROTECTION_DISABLED"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"website_firestore_reader"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/datastore.viewer"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">cloud_run_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"processor_firestore_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/datastore.user"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <h2> Revisiting the event triggered function </h2> <p>Let's go back to the function that processes the image. First we want to save the details in the database. Because Firestore is a NoSQL database, you can put any structure to each object in a collection without worrying about any rigid schema. We can put some date and labels returned from Vision API as the first test. I will put here again the main handler function of the Cloud Run Function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@functions_framework.cloud_event</span> <span class="k">def</span> <span class="nf">process_image</span><span class="p">(</span><span class="n">cloud_event</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">cloud_event</span><span class="p">.</span><span class="n">data</span> <span class="k">def</span> <span class="nf">log</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">sev</span><span class="o">=</span><span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span><span class="p">):</span> <span class="n">header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Cloud-Trace-Context</span><span class="sh">"</span><span class="p">)</span> <span class="n">tid</span> <span class="o">=</span> <span class="n">header</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">header</span> <span class="k">else</span> <span class="sh">"</span><span class="s">n/a</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="n">msg</span><span class="p">,</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="n">sev</span><span class="p">,</span> <span class="sh">"</span><span class="s">logging.googleapis.com/trace</span><span class="sh">"</span><span class="p">:</span> <span class="n">tid</span> <span class="p">}))</span> <span class="n">image_path</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">gs://</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bucket</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="n">labels</span> <span class="o">=</span> <span class="nf">label_image</span><span class="p">(</span><span class="n">image_path</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> <span class="nf">log</span><span class="p">(</span><span class="sh">"</span><span class="s">Labels detected by Vision API: </span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">labels</span><span class="p">))</span> </code></pre> </div> <p>As you see, we were receiving a list of labels from Vision API and printing them out with <code>log</code> function. Into requirements.txt add <code>google-cloud-firestore</code> and write the following function that will let us save the data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">firestore</span> <span class="k">def</span> <span class="nf">save_image_details</span><span class="p">(</span><span class="n">image_name</span><span class="p">,</span> <span class="n">bucket_name</span><span class="p">,</span> <span class="n">labels</span><span class="p">,</span> <span class="n">log</span><span class="p">):</span> <span class="n">db_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">FIRESTORE_DB</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">(default)</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">db</span> <span class="o">=</span> <span class="n">firestore</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">database</span><span class="o">=</span><span class="n">db_name</span><span class="p">)</span> <span class="n">doc_ref</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">photos</span><span class="sh">"</span><span class="p">).</span><span class="nf">document</span><span class="p">(</span><span class="n">image_name</span><span class="p">)</span> <span class="n">doc_ref</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="sh">"</span><span class="s">filename</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">bucket</span><span class="sh">"</span><span class="p">:</span> <span class="n">bucket_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">labels</span><span class="sh">"</span><span class="p">:</span> <span class="n">labels</span><span class="p">,</span> <span class="sh">"</span><span class="s">processed_at</span><span class="sh">"</span><span class="p">:</span> <span class="n">firestore</span><span class="p">.</span><span class="n">SERVER_TIMESTAMP</span> <span class="p">})</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error saving image details to Firestore: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ERROR</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Now we can simply call this function in the handler with appropriate arguments. Also in Terraform you need to add an environment variable called <code>FIRESTORE_DB</code> that will contain the name of the database to connect to.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@functions_framework.cloud_event</span> <span class="k">def</span> <span class="nf">process_image</span><span class="p">(</span><span class="n">cloud_event</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">cloud_event</span><span class="p">.</span><span class="n">data</span> <span class="bp">...</span> <span class="n">image_path</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">gs://</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bucket</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="n">labels</span> <span class="o">=</span> <span class="nf">label_image</span><span class="p">(</span><span class="n">image_path</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> <span class="nf">log</span><span class="p">(</span><span class="sh">"</span><span class="s">Labels detected by Vision API: </span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">labels</span><span class="p">))</span> <span class="nf">save_image_details</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bucket</span><span class="sh">'</span><span class="p">],</span> <span class="n">labels</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_cloudfunctions2_function"</span> <span class="s2">"image_processor"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"image-processor"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="p">...</span> <span class="nx">service_config</span> <span class="p">{</span> <span class="nx">max_instance_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">...</span> <span class="nx">environment_variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">FIRESTORE_DB</span> <span class="p">=</span> <span class="nx">google_firestore_database</span><span class="p">.</span><span class="nx">photos_db</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Augmenting the image with Vertex AI </h2> <p>In the same place we will now create another helper function that will call Nano Banana on Vertex AI. Add <code>google-genai</code> and <code>Pillow</code> to the requirements.txt file. First we need to download the image into memory as Gemini client expects us to pass raw data. I will place it in another function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">storage</span> <span class="k">def</span> <span class="nf">_get_image_from_bucket</span><span class="p">(</span><span class="n">image_name</span><span class="p">,</span> <span class="n">source_bucket</span><span class="p">):</span> <span class="n">blob</span> <span class="o">=</span> <span class="n">storage</span><span class="p">.</span><span class="nc">Client</span><span class="p">().</span><span class="nf">bucket</span><span class="p">(</span><span class="n">source_bucket</span><span class="p">).</span><span class="nf">blob</span><span class="p">(</span><span class="n">image_name</span><span class="p">)</span> <span class="n">blob</span><span class="p">.</span><span class="nf">reload</span><span class="p">()</span> <span class="n">mime_type</span> <span class="o">=</span> <span class="n">blob</span><span class="p">.</span><span class="n">content_type</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">image/jpeg</span><span class="sh">"</span> <span class="n">image_bytes</span> <span class="o">=</span> <span class="n">blob</span><span class="p">.</span><span class="nf">download_as_bytes</span><span class="p">()</span> <span class="k">return</span> <span class="n">image_bytes</span><span class="p">,</span> <span class="n">mime_type</span> </code></pre> </div> <p>The next one is calling the actual model in order to augment the image based on the prompt. The prompt is a parameter for now to fill later based on your taste. Because we will be using Gemini through Vertex AI, it's important to mark <code>vertexai=True</code> in the client constructor as otherwise it will try to use standalone Gemini API to which you need an API key. In the response we iterate through all parts as the model also returns thinking process and some possible comment as well. We log the messages (viewable in Logs Explorer) and return only image inline data - the focus of our project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">google.genai</span> <span class="k">as</span> <span class="n">genai</span> <span class="kn">import</span> <span class="n">google.auth</span> <span class="k">def</span> <span class="nf">_gemini_augment</span><span class="p">(</span><span class="n">image_data</span><span class="p">,</span> <span class="n">mime_type</span><span class="p">,</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">log</span><span class="p">):</span> <span class="n">credentials</span><span class="p">,</span> <span class="n">project_id</span> <span class="o">=</span> <span class="n">google</span><span class="p">.</span><span class="n">auth</span><span class="p">.</span><span class="nf">default</span><span class="p">()</span> <span class="n">client</span> <span class="o">=</span> <span class="n">genai</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span> <span class="n">vertexai</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">project</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="sh">"</span><span class="s">global</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Call Nano Banana Pro to augment the image </span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">models</span><span class="p">.</span><span class="nf">generate_content</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gemini-3-pro-image-preview</span><span class="sh">"</span><span class="p">,</span> <span class="n">contents</span><span class="o">=</span><span class="p">[</span> <span class="n">prompt</span><span class="p">,</span> <span class="n">genai</span><span class="p">.</span><span class="n">types</span><span class="p">.</span><span class="n">Part</span><span class="p">.</span><span class="nf">from_bytes</span><span class="p">(</span><span class="n">data</span><span class="o">=</span><span class="n">image_data</span><span class="p">,</span> <span class="n">mime_type</span><span class="o">=</span><span class="n">mime_type</span><span class="p">)</span> <span class="p">]</span> <span class="p">)</span> <span class="k">for</span> <span class="n">candidate</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="n">candidates</span><span class="p">:</span> <span class="k">for</span> <span class="n">part</span> <span class="ow">in</span> <span class="n">candidate</span><span class="p">.</span><span class="n">content</span><span class="p">.</span><span class="n">parts</span><span class="p">:</span> <span class="k">if</span> <span class="n">part</span><span class="p">.</span><span class="n">text</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Gemini output text: </span><span class="si">{</span><span class="n">part</span><span class="p">.</span><span class="n">text</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">part</span><span class="p">.</span><span class="n">inline_data</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Inline data found: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">part</span><span class="p">.</span><span class="n">inline_data</span><span class="p">.</span><span class="n">data</span><span class="p">)</span><span class="si">}</span><span class="s"> bytes</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">part</span><span class="p">.</span><span class="n">inline_data</span><span class="p">.</span><span class="n">data</span> <span class="nf">log</span><span class="p">(</span><span class="sh">"</span><span class="s">No augmented image data found</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p>The next function will be used for storing the augmented image into our actual photos bucket. Gemini always returns PNG format. As a return we will get a public URL of the image (starts with <code>https://storage.googleapis.com</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_upload_image_to_bucket</span><span class="p">(</span><span class="n">image_bytes</span><span class="p">,</span> <span class="n">target_bucket</span><span class="p">,</span> <span class="n">image_name</span><span class="p">,</span> <span class="n">log</span><span class="p">):</span> <span class="c1"># Change extension to PNG, keep all the other parts of the name </span> <span class="n">target_blob_name</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">images/</span><span class="si">{</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">image_name</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">)[</span><span class="si">:</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span><span class="si">}</span><span class="s">.png</span><span class="sh">"</span> <span class="n">target_blob</span> <span class="o">=</span> <span class="n">storage</span><span class="p">.</span><span class="nc">Client</span><span class="p">().</span><span class="nf">bucket</span><span class="p">(</span><span class="n">target_bucket</span><span class="p">).</span><span class="nf">blob</span><span class="p">(</span><span class="n">target_blob_name</span><span class="p">)</span> <span class="n">target_blob</span><span class="p">.</span><span class="nf">upload_from_string</span><span class="p">(</span><span class="n">image_bytes</span><span class="p">,</span> <span class="n">content_type</span><span class="o">=</span><span class="sh">"</span><span class="s">image/png</span><span class="sh">"</span><span class="p">)</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successfully uploaded augmented image to </span><span class="si">{</span><span class="n">target_blob</span><span class="p">.</span><span class="n">public_url</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">target_blob</span><span class="p">.</span><span class="n">public_url</span> </code></pre> </div> <p>Together the high level function will look something like this, where we first load the image, send it to Gemini with prompt for augmentation and then look for returned image to save in the bucket. I also here give you some example prompt I used for this project - feel free to adapt it however you like. I added Vision API labels into the prompt as well, although I believe they won't affect the result anyhow.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">augment_image</span><span class="p">(</span><span class="n">image_name</span><span class="p">,</span> <span class="n">source_bucket</span><span class="p">,</span> <span class="n">target_bucket</span><span class="p">,</span> <span class="n">labels</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">PROMPT</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> The image has the following labels detected by Vision API: </span><span class="si">{</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">labels</span><span class="p">)</span><span class="si">}</span><span class="s">. Augment this image to make it look like a scene from cyberpunk. Futuristic, neons, bright colors in dark environments. </span><span class="sh">"""</span> <span class="n">image_bytes</span><span class="p">,</span> <span class="n">mime_type</span> <span class="o">=</span> <span class="nf">_get_image_from_bucket</span><span class="p">(</span><span class="n">image_name</span><span class="p">,</span> <span class="n">source_bucket</span><span class="p">)</span> <span class="n">augmented_image_data</span> <span class="o">=</span> <span class="nf">_gemini_augment</span><span class="p">(</span><span class="n">image_bytes</span><span class="p">,</span> <span class="n">mime_type</span><span class="p">,</span> <span class="n">PROMPT</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> <span class="k">if</span> <span class="n">augmented_image_data</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">return</span> <span class="nf">_upload_image_to_bucket</span><span class="p">(</span><span class="n">augmented_image_data</span><span class="p">,</span> <span class="n">target_bucket</span><span class="p">,</span> <span class="n">image_name</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> </code></pre> </div> <p>That way we can add this function to our workflow and modify the Firestore record as well. We extend it by argument called <code>augmented_image_url</code>. What is more we need to load another environment variable which is the target bucket for storing photos as the Cloud Run Function doesn't know where to do it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">save_image_details</span><span class="p">(</span><span class="n">image_name</span><span class="p">,</span> <span class="n">bucket_name</span><span class="p">,</span> <span class="n">labels</span><span class="p">,</span> <span class="n">augmented_image_url</span><span class="p">,</span> <span class="n">log</span><span class="p">):</span> <span class="n">db_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">FIRESTORE_DB</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">(default)</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">db</span> <span class="o">=</span> <span class="n">firestore</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">database</span><span class="o">=</span><span class="n">db_name</span><span class="p">)</span> <span class="n">doc_ref</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">photos</span><span class="sh">"</span><span class="p">).</span><span class="nf">document</span><span class="p">(</span><span class="n">image_name</span><span class="p">)</span> <span class="n">doc_ref</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="sh">"</span><span class="s">filename</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">bucket</span><span class="sh">"</span><span class="p">:</span> <span class="n">bucket_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">labels</span><span class="sh">"</span><span class="p">:</span> <span class="n">labels</span><span class="p">,</span> <span class="sh">"</span><span class="s">augmented_image_url</span><span class="sh">"</span><span class="p">:</span> <span class="n">augmented_image_url</span><span class="p">,</span> <span class="sh">"</span><span class="s">processed_at</span><span class="sh">"</span><span class="p">:</span> <span class="n">firestore</span><span class="p">.</span><span class="n">SERVER_TIMESTAMP</span> <span class="p">})</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error saving image details to Firestore: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ERROR</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@functions_framework.cloud_event</span> <span class="k">def</span> <span class="nf">process_image</span><span class="p">(</span><span class="n">cloud_event</span><span class="p">):</span> <span class="n">TARGET_BUCKET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">TARGET_BUCKET</span><span class="sh">"</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">cloud_event</span><span class="p">.</span><span class="n">data</span> <span class="bp">...</span> <span class="n">image_path</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">gs://</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bucket</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="n">labels</span> <span class="o">=</span> <span class="nf">label_image</span><span class="p">(</span><span class="n">image_path</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="nf">augment_image</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bucket</span><span class="sh">'</span><span class="p">],</span> <span class="n">TARGET_BUCKET</span><span class="p">,</span> <span class="n">labels</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> <span class="nf">save_image_details</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bucket</span><span class="sh">'</span><span class="p">],</span> <span class="n">labels</span><span class="p">,</span> <span class="n">url</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_cloudfunctions2_function"</span> <span class="s2">"image_processor"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"image-processor"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="p">...</span> <span class="nx">service_config</span> <span class="p">{</span> <span class="nx">max_instance_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">...</span> <span class="nx">environment_variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">FIRESTORE_DB</span> <span class="p">=</span> <span class="nx">google_firestore_database</span><span class="p">.</span><span class="nx">photos_db</span><span class="p">.</span><span class="nx">name</span> <span class="nx">TARGET_BUCKET</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">photos_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We also need to give some additional permissions to the service account of our function. Firstly, it needs to be able to write to the photos bucket and also call Vertex AI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"processor_ai_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/aiplatform.user"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_storage_bucket_iam_member"</span> <span class="s2">"processor_target_writer"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">photos_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/storage.objectCreator"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <p>Now when we upload the image to the gallery, an augmented version of it should land in the photos bucket and records should be created in Firestore database.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyt1qqvvcz8bs1undm1og.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyt1qqvvcz8bs1undm1og.jpg" alt="Records in Firestore"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpy4lgjyrfkvwfowyo70g.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpy4lgjyrfkvwfowyo70g.jpg" alt="Augmented images"></a></p> <h2> Displaying all photos on the website </h2> <p>We need to first add environment variables pointing to the database name and giving the load balancer endpoint (useful to fix the URL of the image). We don't need to give permissions for the website to read the bucket as we have already given public read access to it for <code>allUsers</code> and all the images we want to display are already indexed by Firestore.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_cloud_run_v2_service"</span> <span class="s2">"website_service"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"website-service"</span> <span class="p">...</span> <span class="nx">template</span> <span class="p">{</span> <span class="nx">containers</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">env</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"UPLOAD_BUCKET"</span> <span class="c1"># Was here already</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">tmp_upload_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">env</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"FIRESTORE_DB"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_firestore_database</span><span class="p">.</span><span class="nx">photos_db</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">env</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"DOMAIN"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_global_address</span><span class="p">.</span><span class="nx">lb_ip</span><span class="p">.</span><span class="nx">address</span> <span class="c1"># Unless you have your own domain</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>Add <code>google-cloud-firestore</code> to <code>requirements.txt</code> of the index website (the one built with Docker locally) and modify the <code>main.py</code> file. First initialize the Firestore client and then change the index to stream all the object in the database, get properties that interest us and create a list out of it. Further this list is passed to Jinja template to render a nice looking HTML from it. I just give the small excerpt of the website as all the CSS can be easily vibe-coded to make something spectacular 🤣.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="bp">...</span> <span class="n">db_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">FIRESTORE_DB</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">(default)</span><span class="sh">"</span><span class="p">)</span> <span class="n">db</span> <span class="o">=</span> <span class="n">firestore</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">database</span><span class="o">=</span><span class="n">db_name</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">index</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">fastapi</span><span class="p">.</span><span class="n">Request</span><span class="p">):</span> <span class="n">domain</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">DOMAIN</span><span class="sh">"</span><span class="p">)</span> <span class="n">records</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="sh">"</span><span class="s">photos</span><span class="sh">"</span><span class="p">).</span><span class="nf">stream</span><span class="p">()</span> <span class="n">photos</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">record</span> <span class="ow">in</span> <span class="n">records</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="n">url</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">augmented_image_url</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://picsum.photos/640/480</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Replace the googleapis with domain if it's not a https://picsum.photos placeholder </span> <span class="n">url</span> <span class="o">=</span> <span class="n">url</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">https://storage.googleapis.com/</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">http://{domain}/</span><span class="sh">"</span><span class="p">)</span> <span class="n">photos</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="n">url</span><span class="p">,</span> <span class="sh">"</span><span class="s">labels</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">labels</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]))</span> <span class="p">})</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span> <span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">photos</span><span class="sh">"</span><span class="p">:</span> <span class="n">photos</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;ul</span> <span class="na">class=</span><span class="s">"gallery"</span><span class="nt">&gt;</span> {% for photo in photos %} <span class="nt">&lt;li&gt;</span> <span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"{{ photo.url }}"</span> <span class="na">alt=</span><span class="s">"Gallery Image"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"overlay"</span><span class="nt">&gt;</span> {{ photo.labels }} <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/li&gt;</span> {% endfor %} <span class="nt">&lt;/ul&gt;</span> </code></pre> </div> <p>That way we can now view all the images on our website and look at the labels that were detected. There's so much more you can do with this project. Maybe generating videos with Veo or creating a story for each image with Gemini Flash and playing Chirp-generated narration <code>onmouseover</code>?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu991r3suh0ofqlplbzet.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu991r3suh0ofqlplbzet.jpg" alt="Finished gallery"></a></p> gcp googlecloud vertexai Piotr Pabis Mon, 12 Jan 2026 08:00:00 +0000 https://forem.com/ppabis/serverless-picture-gallery-on-google-cloud-part-2-57mc https://forem.com/ppabis/serverless-picture-gallery-on-google-cloud-part-2-57mc <p>In this episode we will continue the project and implement uploading functionality using presigned URLs generated by Cloud Storage. What is more, on successful uploads we are going to trigger a Cloud Run Function that will pass the uploaded image to Vision API to describe it with labels that initially we will only print to the logs. To see the parts we will be creating, look at the diagram below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1sd9kxbhu475wu61d46.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1sd9kxbhu475wu61d46.png" alt="Part 2 of the project - uploading and labeling with Vision API" width="658" height="388"></a></p> <p><em>GitHub repository:</em> <a href="https://github.com/ppabis/gcp-photos-gallery" rel="noopener noreferrer"><em>ppabis/gcp-photos-gallery</em></a></p> <p><a href="https://dev.to/ppabis/serverless-picture-gallery-on-google-cloud-part-1-5c0n"><em>Back to part 1</em></a></p> <h2> Uploads bucket and permissions </h2> <p>First we need a place to upload our images somewhere. For simplicity, we can create another bucket. I will also add lifecycle policy to this bucket so that it is being cleaned up every day in case some uploads cause failure in the function. What is also important is to allow uploading to the bucket from any domain. Cross Origin Resource Sharing (CORS) will block by default any interactions that are not coming from the same domain (in that case <code>storage.googleapis.com</code>), so we need a custom header for this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"tmp_upload_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"tmp-upload-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"EU"</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">lifecycle_rule</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Delete"</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">age</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">cors</span> <span class="p">{</span> <span class="nx">origin</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">method</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"PUT"</span><span class="p">,</span> <span class="s2">"POST"</span><span class="p">]</span> <span class="nx">response_header</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"Content-Type"</span><span class="p">]</span> <span class="nx">max_age_seconds</span> <span class="p">=</span> <span class="mi">3600</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>As the next step we need to allow our Cloud Run service to write to the bucket as well as generate presigned URLs. Even though we will not be directly writing any data from the container, presigned URLs will inherit the subset of permissions of the creator, in our case Cloud Run's Service Account. As you remember from the previous episode, we have attached an empty Service Account to the service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_storage_bucket_iam_member"</span> <span class="s2">"sa_storage_creator_tmp"</span> <span class="p">{</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">cloud_run_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">tmp_upload_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/storage.objectCreator"</span> <span class="p">}</span> <span class="c1"># Allow SA to sign URLs</span> <span class="k">resource</span> <span class="s2">"google_service_account_iam_member"</span> <span class="s2">"sa_token_creator"</span> <span class="p">{</span> <span class="nx">service_account_id</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">cloud_run_sa</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/iam.serviceAccountTokenCreator"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">cloud_run_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <h2> Generating Presigned URLs for direct uploads to the bucket </h2> <p>When we use Presigned URL to <code>PUT</code> or <code>POST</code> an object to the Cloud Storage, we save on network bandwidth and CPU cycles, as any compute service just throws an authenticated link to the user (which is some kilobytes long) and then it's just up to the client to interact with Cloud Storage. We just specify location, token and then all the bits go directly to the bucket.</p> <p>Let's define the function for uploading the images in Python. For simplicity, the following function will only process JPG images but in the repository you will find a more sophisticated function for many MIME types.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">uuid</span><span class="p">,</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">storage</span> <span class="kn">import</span> <span class="n">google.auth</span> <span class="kn">import</span> <span class="n">google.auth.transport.requests</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/upload-url</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_upload_url</span><span class="p">():</span> <span class="n">credentials</span><span class="p">,</span> <span class="n">project_id</span> <span class="o">=</span> <span class="n">google</span><span class="p">.</span><span class="n">auth</span><span class="p">.</span><span class="nf">default</span><span class="p">()</span> <span class="n">credentials</span><span class="p">.</span><span class="nf">refresh</span><span class="p">(</span><span class="n">google</span><span class="p">.</span><span class="n">auth</span><span class="p">.</span><span class="n">transport</span><span class="p">.</span><span class="n">requests</span><span class="p">.</span><span class="nc">Request</span><span class="p">())</span> <span class="n">bucket_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">UPLOAD_BUCKET</span><span class="sh">"</span><span class="p">)</span> <span class="n">blob_name</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()</span><span class="si">}</span><span class="s">.jpg</span><span class="sh">"</span> <span class="n">blob</span> <span class="o">=</span> <span class="n">storage</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">credentials</span><span class="o">=</span><span class="n">credentials</span><span class="p">).</span><span class="nf">bucket</span><span class="p">(</span><span class="n">bucket_name</span><span class="p">).</span><span class="nf">blob</span><span class="p">(</span><span class="n">blob_name</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="n">blob</span><span class="p">.</span><span class="nf">generate_signed_url</span><span class="p">(</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">v4</span><span class="sh">"</span><span class="p">,</span> <span class="n">expiration</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">15</span><span class="p">),</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">PUT</span><span class="sh">"</span><span class="p">,</span> <span class="n">content_type</span><span class="o">=</span><span class="sh">"</span><span class="s">image/jpeg</span><span class="sh">"</span><span class="p">,</span> <span class="n">access_token</span><span class="o">=</span><span class="n">credentials</span><span class="p">.</span><span class="n">token</span><span class="p">,</span> <span class="n">service_account_email</span><span class="o">=</span><span class="n">credentials</span><span class="p">.</span><span class="n">service_account_email</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="n">url</span><span class="p">}</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/upload</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">upload_page</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">fastapi</span><span class="p">.</span><span class="n">Request</span><span class="p">):</span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">upload.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">})</span> </code></pre> </div> <p>First, we need to refresh Google Cloud credentials, which will give us a new token. Then we will use these specific credentials for the Cloud Storage client and ask the service to sign the URL with our token. You might ask why can't we just do it like in AWS: use our IAM Role tied to Lambda to generate presigned URL? For some reason Google Cloud implements two types of credentials: one is typical tokens (like AWS STS with assumed roles) and another is "compute" credentials that have no private key that is needed for signing. It's just an implementation detail that nobody questions 🙄.</p> <p>Either way continuing with our website, now we need to upload the file somehow. In AWS S3 we would get a token for <code>POST</code> method that just accepts HTML forms. In GCP we need to use JavaScript to perform a <code>PUT</code> request. So our site will be a bit interactive. First we will generate a new signed URL when the user picks a file in file chooser and then we will perform a <code>PUT</code> on a button click.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"upload-container"</span><span class="nt">&gt;</span> <span class="nt">&lt;form</span> <span class="na">id=</span><span class="s">"upload-form"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">id=</span><span class="s">"file-input"</span> <span class="na">name=</span><span class="s">"file"</span> <span class="na">accept=</span><span class="s">"image/*"</span> <span class="na">required</span><span class="nt">&gt;</span> <span class="nt">&lt;br&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">id=</span><span class="s">"upload-button"</span> <span class="na">class=</span><span class="s">"btn-submit"</span> <span class="na">disabled</span><span class="nt">&gt;</span>Upload to Gallery<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fileInput</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">file-input</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">uploadButton</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">upload-button</span><span class="dl">'</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">signedUrl</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// When user selects a file, call /api/upload-url and enable the "Upload" button</span> <span class="nx">fileInput</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">change</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">file</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Requesting upload permission...</span><span class="dl">'</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/upload-url</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="nx">signedUrl</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">url</span><span class="p">;</span> <span class="nx">uploadButton</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error: </span><span class="dl">'</span> <span class="o">+</span> <span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">error</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Could not get upload URL</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error connecting to server.</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">uploadButton</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">signedUrl</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Now we can create another listener on button click that will perform the <code>PUT</code> request to server and send us back to the index of the website.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">uploadForm</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">upload-form</span><span class="dl">'</span><span class="p">);</span> <span class="nx">uploadForm</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nf">preventDefault</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signedUrl</span> <span class="o">||</span> <span class="o">!</span><span class="nx">fileInput</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="k">return</span><span class="p">;</span> <span class="nx">uploadButton</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">file</span> <span class="o">=</span> <span class="nx">fileInput</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">signedUrl</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PUT</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">file</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">image/jpeg</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">statusText</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Upload successful! Redirect to index</span><span class="dl">'</span><span class="p">);</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">;</span> <span class="p">},</span> <span class="mi">2000</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error during upload.</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">uploadButton</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>The last thing you have to do is to place <code>UPLOAD_BUCKET</code> environment variable in the original service we created in the previous part.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_cloud_run_v2_service"</span> <span class="s2">"website_service"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"website-service"</span> <span class="p">...</span> <span class="nx">template</span> <span class="p">{</span> <span class="nx">containers</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">env</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"UPLOAD_BUCKET"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">tmp_upload_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I exposed the HTML file on <code>/upload</code> endpoint (although it's just a static file, you can host it in the bucket as well). Now when rebuild and redeploy the container and try to upload an image when you go to this URL on the Load Balancer, it should appear in the temporary bucket.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6og42ixtqi1vu4ivwp2a.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6og42ixtqi1vu4ivwp2a.jpg" alt="Photo uploaded to the bucket" width="648" height="515"></a></p> <h2> Cloud Run Function for labeling the image </h2> <p>We can now continue to create a Cloud Run Function that will process each uploaded image to the temporary bucket. For that we will use <code>functions-framework</code> library for Python (as this is my language of choice). It provides some decorators and classes that allow us to bind code and Cloud Run Functions infrastructure. Our function will be later triggered by Eventarc so we specify <code>cloud_event</code> as the entry point. This is similar to Lambda being triggered by EventBridge.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">functions_framework</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">request</span> <span class="nd">@functions_framework.cloud_event</span> <span class="k">def</span> <span class="nf">process_image</span><span class="p">(</span><span class="n">cloud_event</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">cloud_event</span><span class="p">.</span><span class="n">data</span> <span class="bp">...</span> </code></pre> </div> <p>I will also define a helper <code>log</code> function that will be useful to format the logs in a way expected by Logs Explorer and set the severity of the log as well. Next I will define another function that will call Vision API with the path to the uploaded object in the bucket. This function will get the applied labels with scores formatted as string to be easy to use later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@functions_framework.cloud_event</span> <span class="k">def</span> <span class="nf">process_image</span><span class="p">(</span><span class="n">cloud_event</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">cloud_event</span><span class="p">.</span><span class="n">data</span> <span class="k">def</span> <span class="nf">log</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">sev</span><span class="o">=</span><span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span><span class="p">):</span> <span class="n">header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Cloud-Trace-Context</span><span class="sh">"</span><span class="p">)</span> <span class="n">tid</span> <span class="o">=</span> <span class="n">header</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">header</span> <span class="k">else</span> <span class="sh">"</span><span class="s">n/a</span><span class="sh">"</span> <span class="nf">print</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="n">msg</span><span class="p">,</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="n">sev</span><span class="p">,</span> <span class="sh">"</span><span class="s">logging.googleapis.com/trace</span><span class="sh">"</span><span class="p">:</span> <span class="n">tid</span> <span class="p">}))</span> <span class="n">image_path</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">gs://</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">bucket</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="n">labels</span> <span class="o">=</span> <span class="nf">label_image</span><span class="p">(</span><span class="n">image_path</span><span class="p">,</span> <span class="n">log</span><span class="p">)</span> <span class="nf">log</span><span class="p">(</span><span class="sh">"</span><span class="s">Labels detected by Vision API: </span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">labels</span><span class="p">))</span> <span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">vision</span> <span class="k">def</span> <span class="nf">label_image</span><span class="p">(</span><span class="n">image_path</span><span class="p">,</span> <span class="n">log</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="n">vision</span><span class="p">.</span><span class="nc">ImageAnnotatorClient</span><span class="p">()</span> <span class="n">image</span> <span class="o">=</span> <span class="n">vision</span><span class="p">.</span><span class="nc">Image</span><span class="p">()</span> <span class="n">image</span><span class="p">.</span><span class="n">source</span><span class="p">.</span><span class="n">gcs_image_uri</span> <span class="o">=</span> <span class="n">image_path</span> <span class="k">try</span><span class="p">:</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Labelling image: </span><span class="si">{</span><span class="n">image_path</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">label_detection</span><span class="p">(</span><span class="n">image</span><span class="o">=</span><span class="n">image</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">message</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">message</span><span class="p">)</span> <span class="n">labels</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">label_annotations</span> <span class="k">return</span> <span class="p">[</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">label</span><span class="p">.</span><span class="n">description</span><span class="si">}</span><span class="s"> (score: </span><span class="si">{</span><span class="n">label</span><span class="p">.</span><span class="n">score</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span> <span class="k">for</span> <span class="n">label</span> <span class="ow">in</span> <span class="n">labels</span> <span class="p">]</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error processing image with Vision API: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ERROR</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="n">e</span> </code></pre> </div> <h2> Packing the function and deploying </h2> <p>Just as Lambda we need to package the Cloud Run function as a ZIP file. But also we need to put it into a bucket first and then give Cloud Run <code>gs://</code> location. The following Terraform code will zip and upload the code to the bucket and do it every time there are changes in <code>image_processor</code> directory. Remember to also add <code>requirements.txt</code> in this directory with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>functions-framework==3.* google-cloud-vision google-cloud-storage </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"function_source_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"function-source-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"EU"</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"archive_file"</span> <span class="s2">"processor_source"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/image_processor"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/image_processor.zip"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_storage_bucket_object"</span> <span class="s2">"processor_zip"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"source-</span><span class="k">${data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">processor_source</span><span class="p">.</span><span class="nx">output_md5</span><span class="k">}</span><span class="s2">.zip"</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">function_source_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">source</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">processor_source</span><span class="p">.</span><span class="nx">output_path</span> <span class="p">}</span> </code></pre> </div> <p>Now we can define the new Cloud Run Function along with its Service Account. We will give permissions to read data in the temporary bucket as well as execute Vision API. To make the function future-proof, I will also set the memory to 512 MB and give a generous timeout of 200 seconds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_cloudfunctions2_function"</span> <span class="s2">"image_processor"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"image-processor"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Background processor for uploaded images"</span> <span class="nx">build_config</span> <span class="p">{</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python311"</span> <span class="nx">entry_point</span> <span class="p">=</span> <span class="s2">"process_image"</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">storage_source</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">function_source_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">object</span> <span class="p">=</span> <span class="nx">google_storage_bucket_object</span><span class="p">.</span><span class="nx">processor_zip</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">service_config</span> <span class="p">{</span> <span class="nx">max_instance_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">available_memory</span> <span class="p">=</span> <span class="s2">"512M"</span> <span class="nx">timeout_seconds</span> <span class="p">=</span> <span class="mi">200</span> <span class="nx">service_account_email</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_sa</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="c1"># event_trigger { ... to be revisited later }</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"processor_sa"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"image-processor-sa"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Service Account for Image Processor Function"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_storage_bucket_iam_member"</span> <span class="s2">"processor_storage_viewer"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">tmp_upload_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/storage.objectViewer"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"processor_vision_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/visionai.admin"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <p>But this is not all! Next we need to define a trigger that will cause any uploaded object into the bucket to invoke this function. For that we will need additional service account with specific permissions, namely receiving events from Eventarc, invoking this function and being usable by global Eventarc service account. We also need to allow Cloud Storage to use Pub/Sub in our project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># All the permissions configuration</span> <span class="k">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"processor_event_sa"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"image-processor-event-sa"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Service Account for tmp Bucket events"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"processor_event_receiver"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/eventarc.eventReceiver"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_event_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_cloud_run_v2_service_iam_member"</span> <span class="s2">"processor_invoker"</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">google_cloudfunctions2_function</span><span class="p">.</span><span class="nx">image_processor</span><span class="p">.</span><span class="nx">location</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">google_cloudfunctions2_function</span><span class="p">.</span><span class="nx">image_processor</span><span class="p">.</span><span class="nx">project</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">google_cloudfunctions2_function</span><span class="p">.</span><span class="nx">image_processor</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/run.invoker"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_event_sa</span><span class="p">.</span><span class="nx">email</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"google_project"</span> <span class="s2">"project"</span> <span class="p">{}</span> <span class="k">resource</span> <span class="s2">"google_service_account_iam_member"</span> <span class="s2">"eventarc_sa_user"</span> <span class="p">{</span> <span class="nx">service_account_id</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_event_sa</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/iam.serviceAccountUser"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:service-</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">project</span><span class="p">.</span><span class="nx">number</span><span class="k">}</span><span class="s2">@gcp-sa-eventarc.iam.gserviceaccount.com"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"gcs_pubsub_publishing"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/pubsub.publisher"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:service-</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">project</span><span class="p">.</span><span class="nx">number</span><span class="k">}</span><span class="s2">@gs-project-accounts.iam.gserviceaccount.com"</span> <span class="p">}</span> <span class="c1">### Edit the Cloud Run function and add a trigger</span> <span class="k">resource</span> <span class="s2">"google_cloudfunctions2_function"</span> <span class="s2">"image_processor"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"image-processor"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="p">...</span> <span class="nx">event_trigger</span> <span class="p">{</span> <span class="nx">trigger_region</span> <span class="p">=</span> <span class="s2">"eu"</span> <span class="nx">event_type</span> <span class="p">=</span> <span class="s2">"google.cloud.storage.object.v1.finalized"</span> <span class="nx">retry_policy</span> <span class="p">=</span> <span class="s2">"RETRY_POLICY_DO_NOT_RETRY"</span> <span class="nx">service_account_email</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">processor_event_sa</span><span class="p">.</span><span class="nx">email</span> <span class="nx">event_filters</span> <span class="p">{</span> <span class="nx">attribute</span> <span class="p">=</span> <span class="s2">"bucket"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">tmp_upload_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now when you upload any image to the bucket you should see in the Logs Explorer and entry with the list of the labels that were created by Vision API along with the scores. However, not all images receive labels. Often screenshots or memes cannot be classified by this service.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fek2avnbqop28gkrnuguw.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fek2avnbqop28gkrnuguw.jpg" alt="Labels given to a an uploaded image" width="800" height="258"></a></p> <h2> Moving forward </h2> <p>In the next episode of this series, we are going to finish the project by enhancing each image using Gemini on Vertex AI, storing the results in a Firestore database and listing those on the main site.</p> googlecloud gcp Piotr Pabis Sat, 10 Jan 2026 08:57:27 +0000 https://forem.com/ppabis/serverless-picture-gallery-on-google-cloud-part-1-5c0n https://forem.com/ppabis/serverless-picture-gallery-on-google-cloud-part-1-5c0n <p>Today, I want to walk you through a simple project I decided to build to better learn and understand Google Cloud while preparing for PCA exam. I wanted to utilize many services that Google offers and let me troubleshoot things, as when you break and fix something, you understand it better. In this project, we will create a picture gallery where the pictures will be labeled by Vision API and augmented using Nano Banana. Other services we will utilize are: CloudRun, CloudRun Functions, Global Load Balancer, Cloud Armor, Storage Buckets and Firestore.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fncta3n1h1tu3vikfyo89.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fncta3n1h1tu3vikfyo89.png" alt="Diagram of the solution with part 1 highlighted"></a></p> <p>In this episode of the project we will only focus on the highlighted part. We will create a publicly readable bucket for our images. A Global External Load Balancer will serve them (along with CDN caching) and also route us to a CloudRun function, currently with a dummy website showing placeholders. We will also hide the load balancer behind Cloud Armor so that only our IP subnet can access the service. In my setup I also added SSL protection but this is optional - you can just use HTTP with IP directly, as you will need a domain for SSL to work.</p> <p><em>Find the code on GitHub:</em> <a href="https://github.com/ppabis/gcp-photos-gallery" rel="noopener noreferrer"><em>ppabis/gcp-photos-gallery</em></a></p> <h2> Prerequisites </h2> <p>Before we start, be sure that you have the following:</p> <ul> <li>Google Cloud account (obviously),</li> <li>OpenTofu v1.11.0 or newer,</li> <li> <code>gcloud</code> CLI configured and connected to your project,</li> <li>Docker provider such as Docker Desktop or OrbStack.</li> </ul> <h3> Enabling APIs and configuring Docker </h3> <p>We will also enable necessary APIs (the list might not be complete) and configure Docker credentials to use with Artifact Registry. Run the following commands to set up everything.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud services <span class="nb">enable </span>vision.googleapis.com gcloud services <span class="nb">enable </span>eventarc.googleapis.com gcloud services <span class="nb">enable </span>cloudfunctions.googleapis.com gcloud services <span class="nb">enable </span>certificatemanager.googleapis.com gcloud services <span class="nb">enable </span>cloudbuild.googleapis.com gcloud services <span class="nb">enable </span>aiplatform.googleapis.com <span class="c"># You can change region here if you want, just accept the prompt</span> gcloud auth configure-docker europe-west4-docker.pkg.dev </code></pre> </div> <h3> Providers and basic configuration </h3> <p>In this part of the project we will also import all the Terraform providers we will need later. I will also create necessary basic configuration. The region of my choice is <code>europe-west4</code> but you can pick any other you want.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 7.15.0"</span> <span class="p">}</span> <span class="nx">random</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/random"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="nx">docker</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"kreuzwerker/docker"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="nx">archive</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/archive"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.4"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.11.0"</span> <span class="c1"># OpenTofu only!</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"project_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the Google Cloud project"</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="nx">zone</span> <span class="p">=</span> <span class="s2">"europe-west4-a"</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"docker"</span> <span class="p">{</span> <span class="nx">registry_auth</span> <span class="p">{</span> <span class="nx">address</span> <span class="p">=</span> <span class="s2">"europe-west4-docker.pkg.dev"</span> <span class="nx">config_file</span> <span class="p">=</span> <span class="nx">pathexpand</span><span class="p">(</span><span class="s2">"~/.docker/config.json"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Bucket for storing images </h2> <p>Let's start with the simplest thing which is a bucket which will store the images to show on the website. We will use <code>random_string</code> resource as bucket names have to be globally unique (just like in AWS S3). My bucket will be multi-region across <code>"EU"</code> location. I will also choose uniform bucket level access to prevent ACLs being used for the objects.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"random_string"</span> <span class="s2">"bucket_name"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">special</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">upper</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">lower</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">numeric</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"photos_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"photos-bucket-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"EU"</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>What is more, we want the bucket to be publicly accessible and reachable via the Load Balancer later. I will create two resources for that. First will be bucket viewer role that will be given to <code>allUsers</code>. Next I will create a backend for the bucket (AWS equivalent is Target Group).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_storage_bucket_iam_member"</span> <span class="s2">"public_read_access"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">photos_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/storage.objectViewer"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"allUsers"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_backend_bucket"</span> <span class="s2">"photos_backend_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"backend-bucket-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="nx">bucket_name</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">photos_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">enable_cdn</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># edge_security_policy = ... We will revisit it later</span> <span class="p">}</span> </code></pre> </div> <p>After you apply, you should be able to upload any object to the bucket via Console or <code>gsutil</code> and see it when accessing via browser.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faopwxke4bmha6gyr5x2f.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faopwxke4bmha6gyr5x2f.jpg" alt="Object publicly visible"></a></p> <h2> Global External Application Load Balancer </h2> <p>As you see by the title, Google has amazing naming convention when it comes to their products. But just as long is this name, also list of its functionalities. This essentially combines AWS'es Application Load Balancer, CloudFront and Global Accelerator into one service.</p> <p>We will reserve a new public IPv4 IP from Google and use it as a frontend for our load balancer. This frontend will lead to URL map that for now will route everything to the storage bucket (we will revisit it later). In this example, it only has HTTP endpoint. In the repository I also left an example for HTTPS if you happen to have a domain. (You will need to add a CNAME record to validate domain ownership.)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_global_address"</span> <span class="s2">"lb_ip"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lb-external-ip"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_url_map"</span> <span class="s2">"url_map"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"global-app-lb"</span> <span class="nx">default_service</span> <span class="p">=</span> <span class="nx">google_compute_backend_bucket</span><span class="p">.</span><span class="nx">photos_backend_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">host_rule</span> <span class="p">{</span> <span class="nx">hosts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">path_matcher</span> <span class="p">=</span> <span class="s2">"path-matcher"</span> <span class="p">}</span> <span class="nx">path_matcher</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"path-matcher"</span> <span class="nx">default_service</span> <span class="p">=</span> <span class="nx">google_compute_backend_bucket</span><span class="p">.</span><span class="nx">photos_backend_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="nx">path_rule</span> <span class="p">{</span> <span class="nx">paths</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"/images"</span><span class="p">,</span> <span class="s2">"/images/*"</span><span class="p">]</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">google_compute_backend_bucket</span><span class="p">.</span><span class="nx">photos_backend_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_target_http_proxy"</span> <span class="s2">"http_proxy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lb-http-proxy"</span> <span class="nx">url_map</span> <span class="p">=</span> <span class="nx">google_compute_url_map</span><span class="p">.</span><span class="nx">url_map</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_global_forwarding_rule"</span> <span class="s2">"forwarding_rule"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lb-forwarding-rule"</span> <span class="nx">ip_protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">load_balancing_scheme</span> <span class="p">=</span> <span class="s2">"EXTERNAL_MANAGED"</span> <span class="nx">port_range</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="nx">target</span> <span class="p">=</span> <span class="nx">google_compute_target_http_proxy</span><span class="p">.</span><span class="nx">http_proxy</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_address</span> <span class="p">=</span> <span class="nx">google_compute_global_address</span><span class="p">.</span><span class="nx">lb_ip</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Now if you go to the loadbalancer via the IP address it should show you also the image. If you go to <code>images/</code> path it will be appended also when requesting object from the bucket. So for example <code>http://1.2.3.4/images/test.jpg</code> will go to <code>gs://photos-bucket-123456/images/test.jpg</code>. This will be the case also when we later change the default route to Cloud Run.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fowgbeuqa8z1dqsthnjlf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fowgbeuqa8z1dqsthnjlf.png" alt="Image visible via Load Balancer"></a></p> <h2> Creating an index website </h2> <p>First, let's create a dummy website that will simply display some placeholder photos. I will use Python with FastAPI. The site needs to be built with Docker, so you have a very wide choice of languages and SDKs. Below is a simple app that serves a templated HTML website in <code>templates/</code> directory. For brevity I will skip the actual template but this can simply be a vibe-coded HTML page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">fastapi</span><span class="p">,</span> <span class="n">random</span><span class="p">,</span> <span class="n">uvicorn</span><span class="p">,</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">fastapi.templating</span> <span class="n">app</span> <span class="o">=</span> <span class="n">fastapi</span><span class="p">.</span><span class="nc">FastAPI</span><span class="p">()</span> <span class="n">templates</span> <span class="o">=</span> <span class="n">fastapi</span><span class="p">.</span><span class="n">templating</span><span class="p">.</span><span class="nc">Jinja2Templates</span><span class="p">(</span><span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">templates</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">index</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">fastapi</span><span class="p">.</span><span class="n">Request</span><span class="p">):</span> <span class="c1"># HTML response based on Jinja template </span> <span class="k">return</span> <span class="n">templates</span><span class="p">.</span><span class="nc">TemplateResponse</span><span class="p">(</span> <span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">:</span> <span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">number</span><span class="sh">"</span><span class="p">:</span> <span class="n">random</span><span class="p">.</span><span class="nf">randint</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="mi">20</span><span class="p">)</span> <span class="p">}</span> <span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">port</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">PORT</span><span class="sh">"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">))</span> <span class="n">uvicorn</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="n">port</span><span class="p">)</span> </code></pre> </div> <p>Now it's time for a Dockerfile. I will install FastAPI, Uvicorn and Jinja directly with <code>pip</code> but it's better to use actual <code>requirements.txt</code> in real scenarios.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.14-alpine</span> <span class="k">ENV</span><span class="s"> PORT 8080</span> <span class="k">WORKDIR</span><span class="s"> /app/</span> <span class="k">RUN </span>pip <span class="nb">install </span>fastapi uvicorn jinja2 <span class="k">COPY</span><span class="s"> . /app/</span> <span class="k">CMD</span><span class="s"> ["sh", "-c", "uvicorn main:app --host 0.0.0.0 --port ${PORT}"]</span> </code></pre> </div> <p>Now we can use <code>docker</code> provider in Terraform to build and push our application. In order to make it react to changes, I will also use a variable and increase version with each change. But in order to push, let's also define a new repository in Artifact Registry.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"app_version"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_artifact_registry_repository"</span> <span class="s2">"website_repo"</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="nx">repository_id</span> <span class="p">=</span> <span class="s2">"website-repository"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Docker repository for the website image"</span> <span class="nx">format</span> <span class="p">=</span> <span class="s2">"DOCKER"</span> <span class="nx">docker_config</span> <span class="p">{</span> <span class="nx">immutable_tags</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"docker_image"</span> <span class="s2">"website_image"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">google_artifact_registry_repository</span><span class="p">.</span><span class="nx">website_repo</span><span class="p">.</span><span class="nx">registry_uri</span><span class="k">}</span><span class="s2">/website-image:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">app_version</span><span class="k">}</span><span class="s2">"</span> <span class="nx">build</span> <span class="p">{</span> <span class="nx">context</span> <span class="p">=</span> <span class="s2">"./website"</span> <span class="nx">platform</span> <span class="p">=</span> <span class="s2">"linux/amd64"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"docker_registry_image"</span> <span class="s2">"website_image"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">docker_image</span><span class="p">.</span><span class="nx">website_image</span><span class="p">.</span><span class="nx">name</span> <span class="nx">keep_remotely</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>Now as you apply, the new image from <code>website/</code> directory should be built and pushed to Artifacts Registry in Google Cloud. This way we can further create a service online that will run serve this image.</p> <h2> Creating Cloud Run service </h2> <p>First I will create a basic Cloud Run service with the image created above. Let's approach this step by step. As later we will use this service to connect to some other services, we will attach a service account in advance. Service Account is equivalent to AWS IAM Role. I will configure also the port on which it should listen. The same port will be exported to <code>PORT</code> environment variable. To make the Cloud Run function accessible only via Load Balancer later (and not with <code>.run.app</code> link), I set <code>ingress</code> configuration to <code>INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER</code>. Also the scaling will be limited to at most 3 instances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"cloud_run_sa"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"cloud-run-website-sa"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Service Account for Cloud Run Website"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_cloud_run_v2_service"</span> <span class="s2">"website_service"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"website-service"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="s2">"INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">docker_image</span><span class="p">.</span><span class="nx">website_image</span><span class="p">,</span> <span class="nx">docker_registry_image</span><span class="p">.</span><span class="nx">website_image</span><span class="p">]</span> <span class="nx">template</span> <span class="p">{</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">cloud_run_sa</span><span class="p">.</span><span class="nx">email</span> <span class="nx">containers</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">google_artifact_registry_repository</span><span class="p">.</span><span class="nx">website_repo</span><span class="p">.</span><span class="nx">registry_uri</span><span class="k">}</span><span class="s2">/website-image:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">app_version</span><span class="k">}</span><span class="s2">"</span> <span class="nx">ports</span> <span class="p">{</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">scaling</span> <span class="p">{</span> <span class="nx">min_instance_count</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_instance_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Before we can expose Cloud Run app in the load balancer, we still need to create two things. First, we need to allow anyone to use the Service without authentication. Secondly, we need to define network endpoint group that will expose our Cloud Run Service for this region (you can use single Load Balancer Backend with multiple Network Endpoint Groups to serve same Service in multiple regions).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_cloud_run_v2_service_iam_member"</span> <span class="s2">"noauth"</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">google_cloud_run_v2_service</span><span class="p">.</span><span class="nx">website_service</span><span class="p">.</span><span class="nx">location</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">google_cloud_run_v2_service</span><span class="p">.</span><span class="nx">website_service</span><span class="p">.</span><span class="nx">project</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">google_cloud_run_v2_service</span><span class="p">.</span><span class="nx">website_service</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/run.invoker"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"allUsers"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_region_network_endpoint_group"</span> <span class="s2">"serverless_neg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"serverless-neg"</span> <span class="nx">network_endpoint_type</span> <span class="p">=</span> <span class="s2">"SERVERLESS"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"europe-west4"</span> <span class="nx">cloud_run</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">google_cloud_run_v2_service</span><span class="p">.</span><span class="nx">website_service</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_backend_service"</span> <span class="s2">"website_backend"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"website-backend"</span> <span class="nx">load_balancing_scheme</span> <span class="p">=</span> <span class="s2">"EXTERNAL_MANAGED"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">backend</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="nx">google_compute_region_network_endpoint_group</span><span class="p">.</span><span class="nx">serverless_neg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># security_policy = ... we will revisit it later</span> <span class="p">}</span> </code></pre> </div> <h2> Accessing our website from Load Balancer </h2> <p>Now we can attach the new backend to the Load Balancer. We will replace the default routes in URL map and keep <code>/images/</code> being served by the bucket backend.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_url_map"</span> <span class="s2">"url_map"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"global-app-lb"</span> <span class="nx">default_service</span> <span class="p">=</span> <span class="nx">google_compute_backend_service</span><span class="p">.</span><span class="nx">website_backend</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># Changed the following 👆</span> <span class="c1"># ...</span> <span class="nx">path_matcher</span> <span class="p">{</span> <span class="c1"># And this one too 👇</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"path-matcher"</span> <span class="nx">default_service</span> <span class="p">=</span> <span class="nx">google_compute_backend_service</span><span class="p">.</span><span class="nx">website_backend</span><span class="p">.</span><span class="nx">id</span> <span class="nx">path_rule</span> <span class="p">{</span> <span class="nx">paths</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"/images"</span><span class="p">,</span> <span class="s2">"/images/*"</span><span class="p">]</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">google_compute_backend_bucket</span><span class="p">.</span><span class="nx">photos_backend_bucket</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The root of the load balancer should now serve your new Cloud Run website like on the image below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxd0b2bu8avx2xs1zme7.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxd0b2bu8avx2xs1zme7.jpg" alt="Index of our project"></a></p> <h2> Protecting the site with Cloud Armor </h2> <p>If you go to logs explorer in Google Console, you will see a lot of requests coming from malicious individuals running scanners against IPs. This is the unfortunate fact about IPv4 - it's so limited that the range to scan is very small and makes sense for hackers who want to steal your <code>.env</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fefj8hecwa0q7p9j59mwn.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fefj8hecwa0q7p9j59mwn.jpg" alt="Bad actors in the logs"></a></p> <p>In general you would block individual IPs or ranges but in our case, we can simply use our own IP as allowlist. That's what Cloud Armor is for (it actually can do much more, like block requests for <code>.env</code> for example 🤩). The rules are applied to the backends and because we have two types of backends - compute for our Cloud Run and bucket for Storage Bucket, we need also two types of policies. Actually, they will look exactly the same with only change in one argument. The default behavior will be to deny and throw HTTP error code 403.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"ip_range"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="c1"># Set this to your IP range</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_security_policy"</span> <span class="s2">"policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"backend-allowed-ips"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CLOUD_ARMOR"</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="s2">"1000"</span> <span class="nx">match</span> <span class="p">{</span> <span class="nx">versioned_expr</span> <span class="p">=</span> <span class="s2">"SRC_IPS_V1"</span> <span class="nx">config</span> <span class="p">{</span> <span class="nx">src_ip_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">ip_range</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow access from my IP range"</span> <span class="p">}</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"deny(403)"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="s2">"2147483647"</span> <span class="nx">match</span> <span class="p">{</span> <span class="nx">versioned_expr</span> <span class="p">=</span> <span class="s2">"SRC_IPS_V1"</span> <span class="nx">config</span> <span class="p">{</span> <span class="nx">src_ip_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Default deny rule"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_security_policy"</span> <span class="s2">"edge_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"edge-allowed-ips"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CLOUD_ARMOR_EDGE"</span> <span class="c1"># Exactly same rules as above!</span> <span class="c1"># ...</span> <span class="p">}</span> </code></pre> </div> <p>Now we can apply the new policies to our backend services. Let's revisit the resources for Cloud Run function and for the images bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_backend_service"</span> <span class="s2">"website_backend"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"website-backend"</span> <span class="nx">load_balancing_scheme</span> <span class="p">=</span> <span class="s2">"EXTERNAL_MANAGED"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">backend</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="nx">google_compute_region_network_endpoint_group</span><span class="p">.</span><span class="nx">serverless_neg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Changed this one 👇, use normal CLOUD_ARMOR policy here</span> <span class="nx">security_policy</span> <span class="p">=</span> <span class="nx">google_compute_security_policy</span><span class="p">.</span><span class="nx">policy</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_backend_bucket"</span> <span class="s2">"photos_backend_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"backend-bucket-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="nx">bucket_name</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">photos_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">enable_cdn</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Changed this one 👇, use CLOUD_ARMOR_EDGE policy here</span> <span class="nx">edge_security_policy</span> <span class="p">=</span> <span class="nx">google_compute_security_policy</span><span class="p">.</span><span class="nx">edge_policy</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>If you try to access the load balancer for example using VPN, it should now show Forbidden but should work for your home IP. If you don't know what you IP is, do the following: go to <a href="https://api.ipify.org/" rel="noopener noreferrer">https://api.ipify.org/</a>, replace last two numbers with 0 and 0 and add <code>/16</code>. That way the policy will be flexible enough if you have dynamic IP. So <code>208.81.188.10</code> should become <code>208.81.0.0/16</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h33o52pg5ugu6opajw0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h33o52pg5ugu6opajw0.png" alt="Access forbidden for VPN connections"></a></p> <h2> Going further </h2> <p>Phew! That was some long writing. In the next part we will focus on the upload process and triggering Cloud Run Function which will describe our image with Vision API.</p> <p><a href="https://dev.to/ppabis/serverless-picture-gallery-on-google-cloud-part-2-57mc">Continue to part 2 here</a></p> googlecloud gcp Piotr Pabis Wed, 03 Dec 2025 16:38:37 +0000 https://forem.com/aws-builders/how-to-get-pythoncloudjavadevopsadmin-job-in-this-crazy-market-1ldj https://forem.com/aws-builders/how-to-get-pythoncloudjavadevopsadmin-job-in-this-crazy-market-1ldj <p>In advance I want to say: I won't sell you a bootcamp, I won't send you to a Udemy course and I don't guarantee anything. I just want to share my story with you 🥲, as I believe many people are struggling to get "DevOps" or "Developer" job in this market.</p> <h2> Backstory </h2> <p>The year is 2019. I was to just graduate from a university with a Master of Engineering degree in Computer Science. With this on my resume, three years of experience at Intel (although as an intern 😅) and published apps for Android with a modest ad revenue, I went into the job hunting spree. Checkboxes:</p> <ul> <li>✅ Bachelor's degree, Master's is just a formality,</li> <li>✅ 3 years of experience in Big Tech,</li> <li>✅ Some Python experience from the above,</li> <li>✅ Java experience from Android,</li> <li>✅ Some PHP websites I built in high school as "the next Facebook",</li> <li>✅ Entrepreneurial spirit with proven projects.</li> </ul> <p>I go for the biggest ones first: Amazon and AMD. First one, final round, rejection. Second one, "Here's a take home coding challenge", I do it, "not good enough". Maybe I should be a bit more humble next time. I apply to bigger and smaller companies for Java jobs. Silence. I apply for PHP jobs. Python. JavaScript. Silence. Android job. 200 people competing for one junior position. Of course I failed, what the hell is MVVM and how to use mocks in unit tests? (Fun fact: one company called me <strong>2 years later</strong> for junior Java position!)</p> <p>It was a disaster back then. As at the time I was a member of a Toastmaster's club, I just randomly chatted with one colleague who was a senior dev since a long time. He gave me just this simple one advice: "Go for IT helpdesk or DevOps, once you are in, it's easier to switch to Java or whatever".</p> <h2> First Steps into DevOps </h2> <p>I took his advice and picked DevOps. I had no idea what DevOps is back then. So I went home and searched what are the requirements for DevOps. I knew Linux, used it for some years already. I used Docker once or twice. Added these details to my resume. I sent maybe 3 or 4 applications. Got two responses. Went to the first interview. I said "I know some basic Docker, I know Linux, I want just a trial period, <strong>I will manage to do this/I will figure it out</strong>". The one in bold might have been the deciding factor 😂 and I got the job 🎉!</p> <p>Everything afterwards was just smooth sailing ⛵️. Recruiters started to contact me themselves, I switched jobs multiple times. But most importantly, I learned whatever I could at work and tried hard to be useful, whether it was writing some Python scripts or replacing power cables in desk computers.</p> <h2> Fast forward to today </h2> <p>I have more than 5 years of experience in DevOps and many certifications at this point. I don't say this to brag but to give you a specific perspective: I almost get zero job offers this year. A recruiter contacts me once every two months at most. Even if I apply, there's almost no response. If I even get to a call, I don't get any exciting offers. Nowhere in the process did anyone ask me for certifications. I even applied to AWS and nowhere in the process I was asked or said anything about certifications. The only thing that mattered was problem solving, and grind and persistence (or as they call it in Amazon - following Leadership Principles 😆). What I want to underline here as well is that recruiters have a bias towards people who are currently employed, somewhat of a social proof of sort. Maybe it's subconscious, I don't know, I was never a headhunter 😝.</p> <p>Let's go back to the title of this post and review some tips that are shared around by professionals. First: do and publish projects on GitHub. Far from it. First of all, it's 2025 and you can just vibe code it, and even if we assume that AI doesn't exist, nobody has time to look at your React ToDo app - and 200 other ones sent in by other candidates. If you have something very useful and unique, you might have a chance with that. At best, the time to show your project is to demonstrate it working during the interview. Second one: bootcamps - unless you are switching from one language to another, let's say Java bootcamp while being a Python pro, or Cloud Architect while having experience as Software Product Manager, this is just waste of money. You might learn coding but your job chances will likely stay on the same level. There's another reason I will explain in digression below. Third one: certifications - although everyone clearly state all the time "certification won't get you a job" - which is true, the second part is too vague "only hands on experience matters". But let me also digress the certifications topic at the end of this post.</p> <p>That leaves us with one tip I want to give you today:</p> <h2> Get <em>any</em> job in IT. </h2> <p>Whether you wanted a Java role and they offer you entry-level database admin, take it. If you wanted to be a Cloud Engineer but what you find is a sysadmin of physical servers, do it. IT person at a local school? You are the one. Assistant to the guy setting up routers in offices? You pass him the screwdriver. If you have to carry a server rack, you carry it. If someone needs ethernet cable or new Windows installation, you crawl under the desk to connect it and plug in USB stick with Windows ISO. If someone calls you asking how to install Adobe Reader for the third time today, you take the call and instruct them patiently step-by-step. I'm not saying this to make you do things out of your contract (only if you really want to yourself) but to tell you that someone has to do it and companies are in need of such specialists. Repeating one fact: <strong>the most valuable point on your resume is being currently employed</strong>. And far fewer people flock to on-site physical IT, or repeatable less creative jobs nowadays. (Tbh, most jobs are quite frustrating often. Look at game development. Video games are shiny, creative, and fun but in reality its development is the quickest path to burnout and crunch.)</p> <p>If this company has software engineers, you are even luckier - ask to join stand-ups just to listen. Ask one developer to look over as they work. Ask them if you can ask questions - you will be surprised how many people are willing to help and teach you (maybe because it makes them feel important and smart? I don't know 🤣). With that you might have opportunity to switch to become SWE. Hiring internally is way easier - even more powerful than referrals.</p> <p>You will have a modest salary (don't work for free though ❗️), put something what is left over aside. This is your budget for upskilling. Save for courses, certifications, books, whatever you are curious about. Buy a domain for a year, get a VPS server for a month. Buy a used tablet to test your apps. Take a Python course and value every minute of it - you earned this money and it was hard. This will give you finally opportunities to get where you want to be.</p> <p>And if you are adventurous, or there's no IT offers around you, try getting any job. Maybe introducing Excel to a local Mom-and-Pop shop will be the way. Maybe you can find a book in a local library about HTML or data analytics and you will volunteer to teach it to kids. Google Forms for a local charity - isn't this IT? Any such small and trivial thing will move you closer to the path you want. If you get hired for a different position in an office where there is an IT department, it's even better - this is the same as above but with one extra step. On the other hand you might be the first pillar to establish one in the existing business.</p> <p>But maybe... Maybe you will just love the job you got. I did. I never expected to be where I am now.</p> <p>I get you, you spent so much time learning already. You did all those projects, all these courses, bootcamps and now you have to do something else completely? Not use any of those skills you spent time and energy to acquire? This is harsh reality, unfortunately. I don't say you should give up on that thing you learned. What I want to present you is a strategy to actually realize this in the future. Because statistically if you sent 1000 applications to various companies for this specific Typescript Developer job, 1001st is not likely to work either. Again this another opening will get hundreds of resumes. Get into the game first, then move forward on the board 🎲.</p> <p>My suggestion contradicts the common advice of focusing on one thing and trying hard to get there. I advise you to diffuse and be open. Prepare quickly before the interview, get some basic knowledge about the things in the job description. Learn on the job, be curious, try being useful at every opportunity, at every hour you are in the office. Don't be afraid to ask questions. If you have an idea, don't just say it - implement it - even if your manager says "it's not worth the effort", but you believe it's the best what should be done - do it (just not directly on production 🤣). Trust me, implemented example of your idea is the strongest convincing force to any naysayer.</p> <h3> Digression: why or rather when certifications work </h3> <p>It is often said that you just need hands-on experience. Some will advice to not spend hundreds of dollars on the exams and just get the Udemy course during a sale for $10 and do the exercises along. This is as effective as telling someone to just eat less to lose weight, or cheer up and look at the beauty of the world around to not be sad when you are rejected from every job offer since a year. Both the courses and bootcamps have one thing in common: the pushing force of "sunk cost fallacy". However, as the time passes by, this momentum fades away and you just accept the money you "lost". One force that is pulling on the other side, is the certification, the exam. You put money on the line on the other end, so you subconsciously want to prepare for it and not just binge watch Udemy. However, both forces need to be close enough to each other in time axis. <em>And note for AWS and other organizers: 75%-off vouchers do work 😉</em>. End of digression.</p> career developer devops Piotr Pabis Mon, 24 Nov 2025 08:00:00 +0000 https://forem.com/aws-builders/aws-iam-outbound-oidc-with-google-cloud-identity-pool-5ak7 https://forem.com/aws-builders/aws-iam-outbound-oidc-with-google-cloud-identity-pool-5ak7 <p>Recently, AWS introduced a new feature in IAM, that allows you to sign JWT tokens using managed OIDC provider. On a per AWS Account basis you can enable and receive unique endpoint with managed JWKS keys to configure third-party identity pools. <em>If you want to know more how it functions, I have</em> <a href="https://dev.to/aws-builders/private-self-hosted-oidc-aws-authentication-5bip"><em>a blog post how to host your own OIDC provider on CloudFront</em></a>.</p> <p>As I'm learning Google Cloud now, I decided to use GCP's Workload Identity Pool as the receiving end of the token issued by AWS IAM (even though this service also supports native AWS authentication). The goal for today is to make a Lambda function be able to write to Google Cloud Storage bucket and insert some rows into BigQuery table. The whole setup is on the diagram below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkh9suamc96s2a4pjxodw.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkh9suamc96s2a4pjxodw.jpg" alt="Diagram" width="630" height="357"></a></p> <p>For each of the steps below, I assume you are already authenticated to both AWS and Google Cloud CLIs and have necessary permissions to create all resources.</p> <p><em>Repository with the whole code you can find here:</em> <a href="https://github.com/ppabis/aws-outbound-oidc-google-cloud" rel="noopener noreferrer"><em>github.com/ppabis/aws-outbound-oidc-google-cloud</em></a>.</p> <h2> Configuring AWS Account and GCP Project </h2> <p>For now this new feature is <a href="https://github.com/hashicorp/terraform-provider-aws/issues/45146" rel="noopener noreferrer">not yet available in Terraform</a>, so you will need to use latest AWS CLI and enable it using the command below. In case you have it already enabled, you can use the second one to get the issuer URL again. Run this in the root of your new project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam enable-outbound-web-identity-federation <span class="nt">--output</span> json <span class="o">&gt;</span> issuer.json <span class="c"># Alternatively, if already enabled:</span> aws iam get-outbound-web-identity-federation-info <span class="nt">--output</span> json <span class="o">&gt;</span> issuer.json </code></pre> </div> <p>This will create a file <code>issuer.json</code> with the OIDC endpoint that we will need later. Next, let's enable some services on Google Cloud:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud services <span class="nb">enable </span>sts.googleapis.com gcloud services <span class="nb">enable </span>storage.googleapis.com gcloud services <span class="nb">enable </span>bigquery.googleapis.com </code></pre> </div> <h2> Terraform providers </h2> <p>Let's create a new <code>provider.tf</code> file that will configure our required Terraform providers to use in this project. We will need AWS v6.x, Google v7.x and archive to upload the Lambda. Remember to add your GCP project ID and select your preferred regions. Put your GCP project ID into <code>terraform.tfvars</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 6.0"</span> <span class="p">}</span> <span class="nx">archive</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/archive"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.0"</span> <span class="p">}</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 7.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"gcp_project_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">gcp_project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"europe-west1"</span> <span class="nx">user_project_override</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> Google Cloud Workload Identity Pool </h2> <p>Next, we will create an identity pool and identity pool provider that will authenticate JWT tokens issued by AWS. We will use the JSON file we obtained earlier. First define some identity pool, I named my <code>my-aws-app</code>. Then create a provider in this pool, I named it the same. Remember to add attribute mapping so that AWS users and roles are reflected as GCP subjects - that way we will later configure grants in GCP IAM. In this step we can technically also choose audiences we will accept but I want to use the default one created by Google. It is complex enough to be secure 😅.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">issuer</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"issuer.json"</span><span class="p">)).</span><span class="nx">IssuerIdentifier</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_iam_workload_identity_pool"</span> <span class="s2">"my_aws_app"</span> <span class="p">{</span> <span class="nx">workload_identity_pool_id</span> <span class="p">=</span> <span class="s2">"my-aws-app"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"my-aws-app"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_iam_workload_identity_pool_provider"</span> <span class="s2">"my_aws_app"</span> <span class="p">{</span> <span class="nx">workload_identity_pool_id</span> <span class="p">=</span> <span class="nx">google_iam_workload_identity_pool</span><span class="p">.</span><span class="nx">my_aws_app</span><span class="p">.</span><span class="nx">workload_identity_pool_id</span> <span class="nx">workload_identity_pool_provider_id</span> <span class="p">=</span> <span class="s2">"my-aws-app"</span> <span class="nx">oidc</span> <span class="p">{</span> <span class="nx">issuer_uri</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">issuer</span> <span class="p">}</span> <span class="nx">attribute_mapping</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"google.subject"</span> <span class="p">=</span> <span class="s2">"assertion.sub"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Resources on GCP side </h2> <p>I will create some sample resources in GCP that we will write to from the Lambda function. I chose a storage bucket and a BigQuery table. You can experiment with other services as well, it's just a matter of your imagination.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"random_id"</span> <span class="s2">"bucket_name"</span> <span class="p">{</span> <span class="nx">byte_length</span> <span class="p">=</span> <span class="mi">8</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"test_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-test-bucket-</span><span class="k">${</span><span class="nx">random_id</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">.</span><span class="nx">hex</span><span class="k">}</span><span class="s2">"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west1"</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_bigquery_dataset"</span> <span class="s2">"my_dataset"</span> <span class="p">{</span> <span class="nx">dataset_id</span> <span class="p">=</span> <span class="s2">"my_dataset"</span> <span class="nx">friendly_name</span> <span class="p">=</span> <span class="s2">"my_dataset"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west1"</span> <span class="nx">delete_contents_on_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_bigquery_table"</span> <span class="s2">"my_table"</span> <span class="p">{</span> <span class="nx">dataset_id</span> <span class="p">=</span> <span class="nx">google_bigquery_dataset</span><span class="p">.</span><span class="nx">my_dataset</span><span class="p">.</span><span class="nx">dataset_id</span> <span class="nx">table_id</span> <span class="p">=</span> <span class="s2">"my_table"</span> <span class="nx">friendly_name</span> <span class="p">=</span> <span class="s2">"my_table"</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">schema</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"timestamp"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"TIMESTAMP"</span> <span class="nx">mode</span> <span class="p">=</span> <span class="s2">"REQUIRED"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"message"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"STRING"</span> <span class="nx">mode</span> <span class="p">=</span> <span class="s2">"NULLABLE"</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> </code></pre> </div> <p>For now we can't yet assign any permissions for out AWS side to these resources as we don't know the ARN of the role yet. Let's switch to AWS side now.</p> <h2> Creating AWS IAM Role for Lambda </h2> <p>Our role will be a very simple one - it needs to be assumable by Lambda and what it will do is just get JWT OIDC tokens from STS. To follow security best practices, we will only allow it to create tokens for specific audience - the one created by Google for our project. Unfortunately, this value is not emitted by any Terraform resource so we have to construct it from string. The comparison we will do in the condition is <code>sts:IdentityTokenAudience</code>. The audience on GCP side looks like this: <code>//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID</code>. This huge 300 character long string is correct, trust me 😂. It's not the last time we will use it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"google_project"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"LambdaOutboundSTSRole"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"LambdaOutboundSTSRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_policy_attachment"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">LambdaOutboundSTSRole</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"lambda_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:GetWebIdentityToken"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"sts:IdentityTokenAudience"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"//iam.googleapis.com/projects/</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">number</span><span class="k">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="k">${</span><span class="nx">google_iam_workload_identity_pool</span><span class="p">.</span><span class="nx">my_aws_app</span><span class="p">.</span><span class="nx">workload_identity_pool_id</span><span class="k">}</span><span class="s2">/providers/</span><span class="k">${</span><span class="nx">google_iam_workload_identity_pool_provider</span><span class="p">.</span><span class="nx">my_aws_app</span><span class="p">.</span><span class="nx">workload_identity_pool_provider_id</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"lambda_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"lambda_policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">LambdaOutboundSTSRole</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">lambda_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>Apply the infrastructure so far, to catch if there are any issues. In your GCP project, you should see a new workload identity pool created and in AWS you should see the IAM role. GCP should also have a new storage bucket and a BigQuery table. With that we can continue with permissions in GCP.</p> <h2> Granting Permissions in GCP </h2> <p>As we now know what role will authenticate from AWS, we can grant permissions on our new GCP resources to it. If you remember the last audience string, this 250 character long member string shouldn't scare you anymore. The principal we have to grant to has the following format: <code>principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL/subject/ROLE_ARN</code>. Notice the change: we use only identity pool ID here (not provider).</p> <p>To follow best security practices, we will also limit the permissions using IAM conditions. Compare this to AWS: in AWS you use <code>Resource</code> key in the IAM policy to limit the policy and in GCP you need to use <code>condition</code>, and it's not in the policy, rather in the binding. The roles (in AWS terms policies) we will give are <code>roles/storage.objectAdmin</code> for the bucket and <code>roles/bigquery.dataEditor</code> for the BigQuery dataset. We will limit them to only our single bucket and BigQuery dataset (all tables).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"google_iam_role"</span> <span class="s2">"bucket_object_admin"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"roles/storage.objectAdmin"</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"google_iam_role"</span> <span class="s2">"bigquery_data_editor"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"roles/bigquery.dataEditor"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"aws_lambda_incoming_bucket_role_member"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">gcp_project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">google_iam_role</span><span class="p">.</span><span class="nx">bucket_object_admin</span><span class="p">.</span><span class="nx">name</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"principal://iam.googleapis.com/projects/</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">number</span><span class="k">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="k">${</span><span class="nx">google_iam_workload_identity_pool</span><span class="p">.</span><span class="nx">my_aws_app</span><span class="p">.</span><span class="nx">workload_identity_pool_id</span><span class="k">}</span><span class="s2">/subject/</span><span class="k">${</span><span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">LambdaOutboundSTSRole</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">"</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">title</span> <span class="p">=</span> <span class="s2">"RestrictToTestBucket"</span> <span class="nx">expression</span> <span class="p">=</span> <span class="s2">"resource.name.startsWith(</span><span class="se">\"</span><span class="s2">projects/_/buckets/</span><span class="k">${</span><span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">test_bucket</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">/objects/</span><span class="se">\"</span><span class="s2">)"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"aws_lambda_incoming_bigquery_role_member"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">gcp_project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">google_iam_role</span><span class="p">.</span><span class="nx">bigquery_data_editor</span><span class="p">.</span><span class="nx">name</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"principal://iam.googleapis.com/projects/</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">number</span><span class="k">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="k">${</span><span class="nx">google_iam_workload_identity_pool</span><span class="p">.</span><span class="nx">my_aws_app</span><span class="p">.</span><span class="nx">workload_identity_pool_id</span><span class="k">}</span><span class="s2">/subject/</span><span class="k">${</span><span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">LambdaOutboundSTSRole</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">"</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">title</span> <span class="p">=</span> <span class="s2">"RestrictToMyDataset"</span> <span class="nx">expression</span> <span class="p">=</span> <span class="s2">"resource.name.startsWith(</span><span class="se">\"</span><span class="s2">projects/</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">project_id</span><span class="k">}</span><span class="s2">/datasets/</span><span class="k">${</span><span class="nx">google_bigquery_dataset</span><span class="p">.</span><span class="nx">my_dataset</span><span class="p">.</span><span class="nx">dataset_id</span><span class="k">}</span><span class="se">\"</span><span class="s2">)"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We are technically done on setting up Google Cloud side. Let's move to the coding part now.</p> <h2> Lambda Function </h2> <p>To comfortable interact with Google Cloud services from our Lambda, we will install some requirements using a <code>requirements.txt</code> file. Create it in a new directory called <code>aws_lambda</code>. I have also included <code>boto3</code> as the current Lambda runtime doesn't have the latest version that supports the new <code>get_web_identity_token</code> function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>google-auth google-cloud-iam google-cloud-storage google-cloud-bigquery boto3 </code></pre> </div> <p>Install the requirements using pip directly into this directory. That way we will zip all the dependencies for Lambda and push it into AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="nt">-t</span> aws_lambda/ </code></pre> </div> <p>In order to exchange OIDC token for actual working GCP working token that will be recognized by GCP IAM we need to use Google STS service. The code below seems a bit overwhelming compared to AWS STS calls but it's necessary. We need to provide all the grant types, scopes, etc. Save this into <code>aws_lambda/auth.py</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.auth.transport.requests</span> <span class="kn">import</span> <span class="n">Request</span> <span class="kn">from</span> <span class="n">google.oauth2</span> <span class="kn">import</span> <span class="n">sts</span> <span class="kn">from</span> <span class="n">google.oauth2.credentials</span> <span class="kn">import</span> <span class="n">Credentials</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="n">aws_sts_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nc">Session</span><span class="p">().</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sts</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_exchange_aws_token_for_google_token</span><span class="p">(</span><span class="n">aws_token</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">audience</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Exchange AWS token for Google service account token via STS</span><span class="sh">"""</span> <span class="n">request</span> <span class="o">=</span> <span class="nc">Request</span><span class="p">()</span> <span class="n">google_sts_client</span> <span class="o">=</span> <span class="n">sts</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">token_exchange_endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">https://sts.googleapis.com/v1/token</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">google_sts_client</span><span class="p">.</span><span class="nf">exchange_token</span><span class="p">(</span> <span class="n">request</span><span class="o">=</span><span class="n">request</span><span class="p">,</span> <span class="n">grant_type</span><span class="o">=</span><span class="sh">"</span><span class="s">urn:ietf:params:oauth:grant-type:token-exchange</span><span class="sh">"</span><span class="p">,</span> <span class="n">audience</span><span class="o">=</span><span class="n">audience</span><span class="p">,</span> <span class="n">requested_token_type</span><span class="o">=</span><span class="sh">"</span><span class="s">urn:ietf:params:oauth:token-type:access_token</span><span class="sh">"</span><span class="p">,</span> <span class="n">subject_token</span><span class="o">=</span><span class="n">aws_token</span><span class="p">,</span> <span class="n">subject_token_type</span><span class="o">=</span><span class="sh">"</span><span class="s">urn:ietf:params:oauth:token-type:id_token</span><span class="sh">"</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">https://www.googleapis.com/auth/cloud-platform</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">]</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error exchanging token: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="k">def</span> <span class="nf">authenticate_aws_oidc_to_google</span><span class="p">(</span><span class="n">audience</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Credentials</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Authenticate AWS OIDC to Google using the AWS STS client.</span><span class="sh">"""</span> <span class="n">aws_token</span> <span class="o">=</span> <span class="n">aws_sts_client</span><span class="p">.</span><span class="nf">get_web_identity_token</span><span class="p">(</span> <span class="n">Audience</span><span class="o">=</span><span class="p">[</span><span class="n">audience</span><span class="p">],</span> <span class="n">DurationSeconds</span><span class="o">=</span><span class="mi">3600</span><span class="p">,</span> <span class="n">SigningAlgorithm</span><span class="o">=</span><span class="sh">'</span><span class="s">ES384</span><span class="sh">'</span> <span class="p">)[</span><span class="sh">'</span><span class="s">WebIdentityToken</span><span class="sh">'</span><span class="p">]</span> <span class="n">google_token</span> <span class="o">=</span> <span class="nf">_exchange_aws_token_for_google_token</span><span class="p">(</span><span class="n">aws_token</span><span class="p">,</span> <span class="n">audience</span><span class="p">)</span> <span class="k">return</span> <span class="nc">Credentials</span><span class="p">(</span><span class="n">token</span><span class="o">=</span><span class="n">google_token</span><span class="p">)</span> </code></pre> </div> <p>The function above returns Google Credentials object that we can use later for any client we need. In order to easily interface with GCP services, we will use provider Python libraries. I will also use some utilities like <code>datetime</code> and <code>os</code>. We need to also load the bucket name, dataset name, table name and audience from environment variables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span><span class="p">,</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">bigquery</span><span class="p">,</span> <span class="n">storage</span> <span class="kn">from</span> <span class="n">auth</span> <span class="kn">import</span> <span class="n">authenticate_aws_oidc_to_google</span> <span class="n">AUDIENCE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">AUDIENCE</span><span class="sh">"</span><span class="p">)</span> <span class="n">GOOGLE_BUCKET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">GOOGLE_BUCKET</span><span class="sh">"</span><span class="p">)</span> <span class="n">BQ_DATASET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">GOOGLE_BQ_DATASET</span><span class="sh">"</span><span class="p">)</span> <span class="n">BQ_TABLE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">GOOGLE_BQ_TABLE</span><span class="sh">"</span><span class="p">)</span> <span class="n">GOOGLE_PROJECT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">GOOGLE_PROJECT_ID</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Let's define our operations to perform as separate functions for easier understanding. First function will be to create an object in Google Storage bucket. It will be dependent on the time and we will also add Lambda's request ID for uniqueness.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_object_in_bucket</span><span class="p">(</span><span class="n">creds</span><span class="p">,</span> <span class="n">request_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create a random object in the bucket under hello_&lt;timestamp&gt;.txt</span><span class="sh">"""</span> <span class="n">client</span> <span class="o">=</span> <span class="n">storage</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="n">GOOGLE_PROJECT</span><span class="p">,</span> <span class="n">credentials</span><span class="o">=</span><span class="n">creds</span><span class="p">)</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="n">blob</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">bucket</span><span class="p">(</span><span class="n">GOOGLE_BUCKET</span><span class="p">).</span><span class="nf">blob</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">hello_</span><span class="si">{</span><span class="n">now</span><span class="p">.</span><span class="nf">timestamp</span><span class="p">()</span><span class="si">:</span><span class="p">.</span><span class="mi">0</span><span class="n">f</span><span class="si">}</span><span class="s">.txt</span><span class="sh">"</span><span class="p">)</span> <span class="n">blob</span><span class="p">.</span><span class="nf">upload_from_string</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Hello, world! Current time: </span><span class="si">{</span><span class="n">now</span><span class="p">.</span><span class="nf">isoformat</span><span class="p">()</span><span class="si">}</span><span class="s">, request_id: </span><span class="si">{</span><span class="n">request_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">blob</span><span class="p">.</span><span class="n">public_url</span> </code></pre> </div> <p>Another function will insert a row into our BigQuery table. We will also populate the <code>message</code> field with some text, current time and request ID from Lambda.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">create_row_in_bigquery</span><span class="p">(</span><span class="n">creds</span><span class="p">,</span> <span class="n">request_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Create a row in the bigquery table with the current time and request_id</span><span class="sh">"""</span> <span class="n">client</span> <span class="o">=</span> <span class="n">bigquery</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="n">GOOGLE_PROJECT</span><span class="p">,</span> <span class="n">credentials</span><span class="o">=</span><span class="n">creds</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">client</span><span class="p">.</span><span class="n">project</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">BQ_DATASET</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">BQ_TABLE</span><span class="si">}</span><span class="sh">"</span> <span class="n">row</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello, world! Current time: </span><span class="si">{</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">()</span><span class="si">}</span><span class="s">, request_id: </span><span class="si">{</span><span class="n">request_id</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">insert_rows_json</span><span class="p">(</span><span class="n">table</span><span class="p">,</span> <span class="p">[</span><span class="n">row</span><span class="p">])</span> <span class="k">if</span> <span class="n">err</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error BQ: </span><span class="si">{</span><span class="n">err</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">True</span> </code></pre> </div> <p>Lastly, we can glue everything together in the main Lambda handler. It will first authenticate to Google using our AWS provided JWT and try to call both functions defined above. It will also log result of each operation so that we can see it in CloudWatch logs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">creds</span> <span class="o">=</span> <span class="nf">authenticate_aws_oidc_to_google</span><span class="p">(</span><span class="n">AUDIENCE</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="nf">create_object_in_bucket</span><span class="p">(</span><span class="n">creds</span><span class="p">,</span> <span class="n">context</span><span class="p">.</span><span class="n">aws_request_id</span><span class="p">)</span> <span class="n">success</span> <span class="o">=</span> <span class="nf">create_row_in_bigquery</span><span class="p">(</span><span class="n">creds</span><span class="p">,</span> <span class="n">context</span><span class="p">.</span><span class="n">aws_request_id</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Object URL: </span><span class="si">{</span><span class="n">url</span><span class="si">}</span><span class="s">, BigQuery success: </span><span class="si">{</span><span class="n">success</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Object URL: </span><span class="si">{</span><span class="n">url</span><span class="si">}</span><span class="s">, BigQuery success: </span><span class="si">{</span><span class="n">success</span><span class="si">}</span><span class="sh">"</span><span class="p">})}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">})}</span> </code></pre> </div> <h2> Packaging and Deploying Lambda </h2> <p>Now we need to package the Lambda code into .zip file and deploy it to AWS. Also very important is to set the environment variables we use in the code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"archive_file"</span> <span class="s2">"lambda_function"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"aws_lambda"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"aws_lambda.zip"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"oidc_to_gcp"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"LambdaOIDCtoGCP"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">LambdaOutboundSTSRole</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"main.lambda_handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.12"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">lambda_function</span><span class="p">.</span><span class="nx">output_base64sha256</span> <span class="nx">filename</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">lambda_function</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AUDIENCE</span> <span class="p">=</span> <span class="s2">"//iam.googleapis.com/projects/</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">number</span><span class="k">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="k">${</span><span class="nx">google_iam_workload_identity_pool</span><span class="p">.</span><span class="nx">my_aws_app</span><span class="p">.</span><span class="nx">workload_identity_pool_id</span><span class="k">}</span><span class="s2">/providers/</span><span class="k">${</span><span class="nx">google_iam_workload_identity_pool_provider</span><span class="p">.</span><span class="nx">my_aws_app</span><span class="p">.</span><span class="nx">workload_identity_pool_provider_id</span><span class="k">}</span><span class="s2">"</span> <span class="nx">GOOGLE_BUCKET</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">test_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="nx">GOOGLE_BQ_DATASET</span> <span class="p">=</span> <span class="nx">google_bigquery_dataset</span><span class="p">.</span><span class="nx">my_dataset</span><span class="p">.</span><span class="nx">dataset_id</span> <span class="nx">GOOGLE_BQ_TABLE</span> <span class="p">=</span> <span class="nx">google_bigquery_table</span><span class="p">.</span><span class="nx">my_table</span><span class="p">.</span><span class="nx">table_id</span> <span class="nx">GOOGLE_PROJECT_ID</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Testing </h2> <p>Let's run the Lambda function and see if we can do stuff on GCP side. You can use AWS Console to trigger it or use the following CLI command (unfortunately you have to store response in a file for whatever reason 🙄)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws lambda invoke <span class="se">\</span> <span class="nt">--region</span> eu-west-1 <span class="se">\</span> <span class="nt">--function-name</span> LambdaOIDCtoGCP <span class="se">\</span> <span class="nt">--payload</span> <span class="s1">'{}'</span> <span class="se">\</span> response.json </code></pre> </div> <p>We can now look into CloudWatch logs to see all the print statements from our function to see if everything went well. You should get a similar output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">STREAM</span><span class="o">=</span><span class="si">$(</span>aws logs describe-log-streams <span class="se">\</span> <span class="nt">--log-group-name</span> /aws/lambda/LambdaOIDCtoGCP <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'logStreams[0].logStreamName'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> aws logs get-log-events <span class="se">\</span> <span class="nt">--log-group-name</span> /aws/lambda/LambdaOIDCtoGCP <span class="nt">--log-stream-name</span> <span class="s2">"</span><span class="nv">$STREAM</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--output</span> text <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'events[].[timestamp,message]'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1763923647520 START RequestId: a2d3bf7c-3bf5-4c6b-9f55-36febec82c96 Version: $LATEST 1763923648706 Object URL: https://storage.googleapis.com/my-test-bucket-fc436b0fe1b7c943/hello_1763923648.txt 1763923649085 BigQuery success: True 1763923649092 END RequestId: a2d3bf7c-3bf5-4c6b-9f55-36febec82c96 </code></pre> </div> <p>Take the object URL and replace <code>https://storage.googleapis.com/</code> with <code>gs://</code>. Use <code>gsutil</code> to see the list of files in the bucket as well as contents of the file created. Compare the request ID in the object with the one in the logs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>gsutil <span class="nb">ls </span>gs://my-test-bucket-fc436b0fe1b7c943/ gs://my-test-bucket-fc436b0fe1b7c943/hello_1763923648.txt <span class="nv">$ </span>gsutil <span class="nb">cat </span>gs://my-test-bucket-fc436b0fe1b7c943/hello_1763923648.txt Hello, world! Current <span class="nb">time</span>: 2025-11-23T18:47:28.288871, request_id: a2d3bf7c-3bf5-4c6b-9f55-36febec82c96 </code></pre> </div> <p>We can also query BigQuery table to see if the records were inserted as we wanted. Use <code>bq</code> tool to run a simple <code>SELECT</code> statement.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>bq query <span class="s2">"SELECT * FROM my_dataset.my_table"</span> +---------------------+----------------------------------------------------------------------------------------------------------+ | timestamp | message | +---------------------+----------------------------------------------------------------------------------------------------------+ | 2025-11-23 18:47:28 | Hello, world! Current <span class="nb">time</span>: 2025-11-23T18:47:28.706698, request_id: a2d3bf7c-3bf5-4c6b-9f55-36febec82c96 | +---------------------+----------------------------------------------------------------------------------------------------------+ </code></pre> </div> <h2> Checking if permissions are enforced </h2> <p>To verify that our IAM conditions in Google Cloud are working, I will create a second bucket without granting any permissions to our AWS role and run Lambda again. It should error out when trying to upload the content to GCS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"second_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"my-second-bucket-</span><span class="k">${</span><span class="nx">random_id</span><span class="p">.</span><span class="nx">bucket_name</span><span class="p">.</span><span class="nx">hex</span><span class="k">}</span><span class="s2">"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"europe-west1"</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># In Lambda environment variables, change GOOGLE_BUCKET to:</span> <span class="k">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"oidc_to_gcp"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"LambdaOIDCtoGCP"</span> <span class="c1"># ...</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="c1">#...</span> <span class="nx">GOOGLE_BUCKET</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">second_bucket</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Invoke the function again and get new log stream. You should see some error just like me below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws lambda invoke <span class="se">\</span> <span class="nt">--region</span> eu-west-1 <span class="se">\</span> <span class="nt">--function-name</span> LambdaOIDCtoGCP <span class="se">\</span> <span class="nt">--payload</span> <span class="s1">'{}'</span> <span class="se">\</span> response.json <span class="nv">STREAM</span><span class="o">=</span><span class="si">$(</span>aws logs describe-log-streams <span class="se">\</span> <span class="nt">--log-group-name</span> /aws/lambda/LambdaOIDCtoGCP <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'logStreams[0].logStreamName'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> aws logs get-log-events <span class="se">\</span> <span class="nt">--log-group-name</span> /aws/lambda/LambdaOIDCtoGCP <span class="nt">--log-stream-name</span> <span class="s2">"</span><span class="nv">$STREAM</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--output</span> text <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'events[].[timestamp,message]'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1763924479236 START RequestId: 6a7d8016-ba34-4075-bca0-77d3bcb2c7a7 Version: $LATEST 1763924480076 Creds: &lt;google.oauth2.credentials.Credentials object at 0x7fef0787e9c0&gt; 1763924480586 Error: 403 POST https://storage.googleapis.com/upload/storage/v1/b/my-second-bucket-fc436b0fe1b7c943/o?uploadType=multipart: { 1763924480586 "error": { 1763924480586 "code": 403, 1763924480586 "message": "Caller does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).", </code></pre> </div> <h2> Conclusion </h2> <p>This new outbound OIDC feature in AWS IAM is really simple to use. As you have seen in this project, most of the complexity was on Google Cloud's side. We barely did any setup for AWS itself. With that, you can now integrate IAM directly with your applications if they support OIDC.</p> google serverless aws security Piotr Pabis Wed, 22 Oct 2025 18:36:46 +0000 https://forem.com/aws-builders/lets-try-managed-ecs-instances-3fl4 https://forem.com/aws-builders/lets-try-managed-ecs-instances-3fl4 <p>If you use ECS, you should already know about the two ways of running the containers: on EC2 machines or using serverless technology - Fargate. If you choose EC2 instances then you have to take care of the autoscaling groups, using the latest AMI. Fargate on the other hand is limited regarding shared volumes and memory and CPU selections. However, on <a href="https://aws.amazon.com/blogs/aws/announcing-amazon-ecs-managed-instances-for-containerized-applications/" rel="noopener noreferrer">30th of September 2025 AWS announced</a> a hybrid approach: managed EC2 instances. It gives you the savings of EC2 instances with as little management overhead as Fargate. Today, we will try this out!</p> <h2> Base infrastructure </h2> <p>As I assume that you are already an experienced user, I won't cover the basics like VPC and how to use ECS. We will start from a basic infrastructure: VPC, ECS Cluster, Application Load Balancer and some other necessities like IAM roles and Security Groups. The image below shows what we aim to create.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0t4ykbh09k1md8e44sq.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0t4ykbh09k1md8e44sq.jpg" alt="Infrastructure diagram" width="559" height="509"></a></p> <p>Both our EC2 instances and ECS service will be running in private subnets. Public one will be only used by the ALB and fck-nat instance providing us the Internet and save on endpoint costs. You can find the Terraform code here: <a href="https://github.com/ppabis/managed-ecs-instances" rel="noopener noreferrer">github.com/ppabis/managed-ecs-instances</a>. I will skip description of things like <code>vpc.tf</code>.</p> <h2> Defining security for Managed Instances </h2> <p>In advance I can say that we will need to define three resources: IAM role for the capacity provider (which is not a service role), IAM role/profile for individual EC2 instances and their security groups. Let's do it now.</p> <h3> Infrastructure role </h3> <p>The first role we have to create is the infrastructure role. Fortunately, there is already a policy that will cover all the required permissions and we just need to attach it. Infrastructure role for the capacity provider trusts service <code>ecs.amazonaws.com</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"trust_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ecs.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ecs_infrastructure"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ECSInfraRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">trust_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ecs_infrastructure"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_infrastructure</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonECSInfrastructureRolePolicyForManagedInstances"</span> <span class="p">}</span> </code></pre> </div> <h3> EC2 instance role </h3> <p>Another one that we need to define is the role and profile for individual EC2 instances. They also need to communicate with some services. Just as with above the permissions are already defined in a policy created by AWS. Also note that you should name the instance role starting with <code>ecsInstanceRole</code> to be able to use the default AWS managed policy. Otherwise you would need to define another permission to allow to pass role by the infrastructure role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"trust_policy_instance"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ec2.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ecs_managed_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ecsInstanceRoleManaged"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">trust_policy_instance</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"ecs_managed_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ECSManagedInstanceProfile"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_managed_instance</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ecs_instance"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_managed_instance</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonECSInstanceRolePolicyForManagedInstances"</span> <span class="p">}</span> </code></pre> </div> <h3> Security group </h3> <p>I will give the instances complete egress access as there are no inbound requirements. This is mostly used to tag the traffic coming from the instances in case you want to allow them to communicate for example to a VPC interface endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"managed-instance-sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ManagedECSInstancesSG"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Defining the capacity provider </h2> <p>In order to use Managed ECS Instances, we need to define a capacity provider just as we did with classic EC2 autoscaling group. This time however, the parameters are a bit different. Make sure that you use Terrafrom AWS provider version 6.15 or newer.</p> <p>First we define the name of the provider and we directly set the cluster for which it will be created. The resource type is <code>aws_ecs_capacity_provider</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecs_cluster"</span> <span class="s2">"ec2-managed"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2-managed"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ecs_capacity_provider"</span> <span class="s2">"ec2-managed"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ec2-managed"</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">ec2-managed</span><span class="p">.</span><span class="nx">name</span> <span class="nx">managed_instances_provider</span> <span class="p">{</span> <span class="c1"># more parameters follow ...</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Next we need to define the <code>managed_instances_provider</code> block. First, we give need to give it the infrastructure role. I will also add an option to propagate tags of this provider to the instances, so that we can easily find them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecs_capacity_provider"</span> <span class="s2">"ec2-managed"</span> <span class="p">{</span> <span class="c1"># ...</span> <span class="nx">managed_instances_provider</span> <span class="p">{</span> <span class="nx">infrastructure_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_infrastructure</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">propagate_tags</span> <span class="p">=</span> <span class="s2">"CAPACITY_PROVIDER"</span> <span class="nx">instance_launch_template</span> <span class="p">{</span> <span class="c1"># more parameters here ...</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Next nested block is <code>instance_launch_template</code>. Here we define all the details of how the EC2 instances should be shaped. Let's start by defining the IAM role/profile for the instance, configuring monitoring level and storage size. I will also use private subnets and the new security group in the networking config.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecs_capacity_provider"</span> <span class="s2">"ec2-managed"</span> <span class="p">{</span> <span class="c1"># ...</span> <span class="nx">managed_instances_provider</span> <span class="p">{</span> <span class="c1"># ...</span> <span class="nx">instance_launch_template</span> <span class="p">{</span> <span class="nx">ec2_instance_profile_arn</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">ecs_managed_instance</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">monitoring</span> <span class="p">=</span> <span class="s2">"BASIC"</span> <span class="nx">storage_configuration</span> <span class="p">{</span> <span class="nx">storage_size_gib</span> <span class="p">=</span> <span class="mi">16</span> <span class="p">}</span> <span class="nx">network_configuration</span> <span class="p">{</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">managed-instance-sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">instance_requirements</span> <span class="p">{</span> <span class="c1"># ... more parameters</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The last nested block inside <code>instance_launch_template</code> is <code>instance_requirements</code>. Here we define the CPU and memory sizes, instance generations and CPU manufacturers to select. You can also optionally choose GPUs and FPGAs. I will choose only Graviton instances of current and previous generation with between 2-4 CPUs and 2GB-16GB of memory. I want to also avoid bare metal instances and include burstable (<code>t4g</code> and <code>t3g</code>) instances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecs_capacity_provider"</span> <span class="s2">"ec2-managed"</span> <span class="p">{</span> <span class="c1"># ...</span> <span class="nx">managed_instances_provider</span> <span class="p">{</span> <span class="c1"># ...</span> <span class="nx">instance_launch_template</span> <span class="p">{</span> <span class="c1"># ...</span> <span class="nx">instance_requirements</span> <span class="p">{</span> <span class="nx">memory_mib</span> <span class="p">{</span> <span class="nx">min</span> <span class="p">=</span> <span class="mi">2048</span> <span class="nx">max</span> <span class="p">=</span> <span class="mi">16384</span> <span class="p">}</span> <span class="nx">vcpu_count</span> <span class="p">{</span> <span class="nx">min</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max</span> <span class="p">=</span> <span class="mi">4</span> <span class="p">}</span> <span class="nx">instance_generations</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"current"</span><span class="p">,</span> <span class="s2">"previous"</span><span class="p">]</span> <span class="nx">cpu_manufacturers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amazon-web-services"</span><span class="p">]</span> <span class="nx">burstable_performance</span> <span class="p">=</span> <span class="s2">"included"</span> <span class="nx">bare_metal</span> <span class="p">=</span> <span class="s2">"excluded"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcgpmbev169t8d6tridt9.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcgpmbev169t8d6tridt9.jpg" alt="Types of matching instances" width="800" height="323"></a></p> <p>The next part is very important as well. Even though if you now go to the AWS Console and look at the cluster, it will show that there's indeed the Managed Instances capacity provider. However, there's no capacity strategy set. It is different than with Fargate, where you can just set launch type to "FARGATE" in the service you are good to go on any cluster. You can bind the capacity directly to the service but it's better to control it at the cluster level for a cleaner setup. Thus we need to define the default strategy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecs_cluster_capacity_providers"</span> <span class="s2">"ec2-managed"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">ec2-managed</span><span class="p">.</span><span class="nx">name</span> <span class="nx">capacity_providers</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_ecs_capacity_provider</span><span class="p">.</span><span class="nx">ec2-managed</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> <span class="nx">default_capacity_provider_strategy</span> <span class="p">{</span> <span class="nx">capacity_provider</span> <span class="p">=</span> <span class="nx">aws_ecs_capacity_provider</span><span class="p">.</span><span class="nx">ec2-managed</span><span class="p">.</span><span class="nx">name</span> <span class="nx">base</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">weight</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Load balancer to preview the service </h2> <p>In order to test the service, I will create a load balancer with HTTP listener. It is a pretty basic setup for the ECS services. It is important to set the target group target type to <code>ip</code> and configure an appropriate health check. In case of needed quicker redeployments I will also define a shorter deregistration delay.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test-ecs-managed-alb"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test-ecs-managed-lb"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">enable_deletion_protection</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"test-ecs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test-ecs-managed-tg"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">target_type</span> <span class="p">=</span> <span class="s2">"ip"</span> <span class="nx">deregistration_delay</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">matcher</span> <span class="p">=</span> <span class="s2">"200-499"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"http"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">test-ecs</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We will be then able to use the load balanacer and the target group to preview our containers and see if they are working. I will use just default Nginx from ECR public gallery as the test.</p> <h2> Task definition </h2> <p>To define a task definition we need first to have some IAM roles that will be attached as task role and as execution role. The task role doesn't need any permissions for now as we won't be accessing any internal AWS services. For execution role we will just use the default managed policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"ecs_task_assume_role"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ecs-tasks.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"task"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test-managed-ecs-task-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">ecs_task_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test-managed-ecs-execution-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">ecs_task_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"execution"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">execution</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"</span> <span class="p">}</span> </code></pre> </div> <p>Another thing is a security group. I will add one that will allow the load balancer to access our Nginx container on port 80 and the container should be able to reach out to the wide Internet if necessary.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"service-sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test-ecs-service-sg"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now we can create a task definition. I will enforce it to use ARM64 architecture and require compatibility of "MANAGED_INSTANCES". Apparently this is required for the task to deploy using this capacity provider. As previously said, I will use public ECR gallery Nginx image and map port 80. We will use <code>awsvpc</code> networking mode to have a new network interface created for each of our tasks. For this task I will use 0.5 vCPU and 1GB of RAM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecs_task_definition"</span> <span class="s2">"test-ecs"</span> <span class="p">{</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"test-ecs-task"</span> <span class="nx">task_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">task</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">execution</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"512"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"1024"</span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">requires_compatibilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"MANAGED_INSTANCES"</span><span class="p">]</span> <span class="nx">runtime_platform</span> <span class="p">{</span> <span class="nx">operating_system_family</span> <span class="p">=</span> <span class="s2">"LINUX"</span> <span class="nx">cpu_architecture</span> <span class="p">=</span> <span class="s2">"ARM64"</span> <span class="p">}</span> <span class="nx">container_definitions</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"public.ecr.aws/nginx/nginx:latest"</span> <span class="nx">essential</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">portMappings</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}]</span> <span class="p">}])</span> <span class="p">}</span> </code></pre> </div> <p>Lastly we can create the service that will spawn the new tasks and add them to the load balancer. For the first try I will just set desired count to 1. Add <code>capacity_provider_strategy</code> to ignored, as we don't want to bind the service with this capacity. Also otherwise any redeployment will fail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecs_service"</span> <span class="s2">"test-ecs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"test-ecs-service"</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">ec2-managed</span><span class="p">.</span><span class="nx">name</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">task_definition</span> <span class="p">=</span> <span class="nx">aws_ecs_task_definition</span><span class="p">.</span><span class="nx">test-ecs</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">enable_ecs_managed_tags</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">network_configuration</span> <span class="p">{</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">service-sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">load_balancer</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">test-ecs</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">container_name</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">capacity_provider_strategy</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can even use any chosen values for memory and CPU in the task definition such as <code>1234</code> for CPU and <code>1234</code> for RAM as we are not constrained by available Fargate configs. I will also try to scale up the service to some large number of containers to see how will be the EC2 instances scheduled.</p> <h2> Scaling up the service </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna4ajrxg2x3fj2u90fg4.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fna4ajrxg2x3fj2u90fg4.jpg" alt="Most of the instances given were t4g.small" width="800" height="257"></a></p> <p>When I chose to scale the instances to 30 (and I also had to increase account quota), the only instances that were created were <code>t4g.small</code>. This seemed quite inefficient as the scheduler also consumes some capacity and larger instances seem more reasonable. However, it was likely due to limitation of how many network cards can be added to each instance. <code>t4g.small</code> can provide up to 3 network cards, so two of them can be used by the ECS tasks. <code>t4g.large</code> has the same count. However, after several tries I got this weird combination:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws ec2 describe-instances <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=tag:aws:ecs:clusterName,Values=ec2-managed"</span> <span class="se">\</span> <span class="s2">"Name=instance-state-name,Values=running"</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Reservations[*].Instances[*].[InstanceType]'</span> <span class="se">\</span> <span class="nt">--output</span> text | <span class="nb">tr</span> <span class="s1">'\t'</span> <span class="s1">'\n'</span> | <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> 5 im4gn.large 3 is4gen.large 16 t4g.small </code></pre> </div> <p>In my opinion this looks even worse as the <code>i4</code> instances are twice as much expensive as <code>t4g</code> per CPU but <code>im4</code> have some more memory per each core. So I tried setting some large memory requirement to get an <code>r</code>-family instance. I set 10 tasks of <code>1000</code> millicores and <code>3500</code> MB of RAM. This gave me just 10 <code>t4g.medium</code> instances as they have 4 GB memory each. So I increase the stakes even higher and asked for <code>14000</code> MB per task. This time I got 10 <code>r6g.large</code> instances.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws ec2 describe-instances <span class="se">\</span> <span class="nt">--filters</span> <span class="s2">"Name=tag:aws:ecs:clusterName,Values=ec2-managed"</span> <span class="se">\</span> <span class="s2">"Name=instance-state-name,Values=running"</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Reservations[*].Instances[*].[InstanceType]'</span> <span class="se">\</span> <span class="nt">--output</span> text | <span class="nb">tr</span> <span class="s1">'\t'</span> <span class="s1">'\n'</span> | <span class="nb">sort</span> | <span class="nb">uniq</span> <span class="nt">-c</span> 10 r6g.large 10 t4g.medium 2 t4g.small </code></pre> </div> <p>As you can see, ECS Managed Instances give us much more flexibility. We can quickly spawn different types of instances based on our need and the configuration is more than trivial. Cost-wise this setup is the most optimal even if you don't have reserved instances. Fargate is still just $0.04 per hour for a task with 1 vCPU and 1 GB requirement but for that price you can get <code>t4g.medium</code> with 2 CPUs and 4 GB of RAM. The startup time is almost negligible as Bottlerocket (Amazon's OS for running containers) instances start within seconds.</p> aws containers ecs docker Piotr Pabis Thu, 09 Oct 2025 09:00:00 +0000 https://forem.com/aws-builders/codepipeline-codebuild-and-multiple-environments-in-ecs-27l6 https://forem.com/aws-builders/codepipeline-codebuild-and-multiple-environments-in-ecs-27l6 <p>If you are in the industry and want to conform to the DevOps principles, you must know what CI/CD is and enable developers to test their code as in a real environment as well as allow them to reproducibly deploy their application to the cloud in an automated and less error-prone way. Enough talking, let's go beyond the theory and see some practical example.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4qishd2f4n16qbn43ozu.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4qishd2f4n16qbn43ozu.jpg" alt="Diagram of our solution" width="729" height="499"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9kwuk3yk6ow3rr2j20ak.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9kwuk3yk6ow3rr2j20ak.jpg" alt="Deployment diagram" width="486" height="205"></a></p> <p>As you can see on the diagram above, we have two ECS environments represented here as two ECS services. You can also make a stronger separation by deploying to different VPCs or even accounts but for the sake of simplicity we will just have two services <code>dev</code> and <code>prod</code> in the same ECS Cluster.</p> <p>Also on the diagram we have a CodeBuild project that will build a Dockerfile and push directly to ECR as well as a CodePipeline pipeline that will clone source code from GitHub, run CodeBuild job, deploy to development ECS service and contain another manual step (approval) that will trigger another action - deployment to production.</p> <h2> Basic setup </h2> <p>I won't describe everything here. As the base infrastructure we will deploy a VPC, an fck-nat instance (to save on NAT Gateway and VPC Endpoints costs) and all ECS necessities. We will also have ECR repository created. To preview our application, I will also create an Application Load Balancer. For now, all the services will be scaled to 0, so that it won't try to pull inexistent image from ECR.</p> <p>You can find complete Terraform code of the above here: <a href="https://github.com/ppabis/ECS-CodePipeline-TwoEnvironments/tree/stage1" rel="noopener noreferrer">stage 1 of the project on GitHub</a>.</p> <h2> Pushing example Nginx </h2> <p>To test if everything works smoothly, I will build an Nginx container locally on my laptop. I will use AWS CLI credentials to authenticate. In the same Terraform repository I will get the output for the ECR repository URL and push.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ REPOSITORY_URL</span><span class="o">=</span><span class="si">$(</span>tofu output <span class="nt">-raw</span> ecr_repository_url<span class="si">)</span>:latest <span class="nv">$ REGISTRY_URL</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$REPOSITORY_URL</span><span class="s2">"</span> | <span class="nb">cut</span> <span class="nt">-d</span><span class="s1">'/'</span> <span class="nt">-f1</span><span class="si">)</span> <span class="nv">$ </span>aws ecr get-login-password <span class="nt">--region</span> eu-west-3 | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> <span class="nv">$REGISTRY_URL</span> <span class="nv">$ </span>docker tag nginx:1.29 <span class="nv">$REPOSITORY_URL</span>:latest <span class="nv">$ </span>docker push <span class="nv">$REPOSITORY_URL</span>:latest </code></pre> </div> <p>Now we can scale the services to 1 task. We should see Nginx welcome page if we navigate to the ALB DNS name. For the dev environment, I chose <code>/dev</code> path. This will be also reflected in Nginx so it will for now throw a 404 error but it's expected. The most important is if the service started and if there is connectivity. In <code>ecs.tf</code> change <code>desired_count</code> to 1 and wait a bit for the deployment to succeed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb0m1fmluc9tnegzbovm0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb0m1fmluc9tnegzbovm0.png" alt="Accessing the mock service" width="800" height="199"></a></p> <p>By doing this we could test the connectivity and if everything is configured correctly for future deployments.</p> <h2> Creating CodeConnection </h2> <p>You will need to create a new repository for your app code. It can be GitHub, GitLab or BitBucket, doesn't matter. I will use GitHub in the example.</p> <p>CodeConnection (formerly CodeStar connection) is an authorization of AWS to use your GitHub account. Even if you create this resource with Terraform, CLI or CloudFormation, you still need to go through the authorization flow with the browser (once). Let's create one in Terraform and go through the process of granting least privilege to AWS (so only repositories we have to). In the new file called <code>codestar.tf</code> write the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_codeconnections_connection"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gh-connection"</span> <span class="nx">provider_type</span> <span class="p">=</span> <span class="s2">"GitHub"</span> <span class="p">}</span> </code></pre> </div> <p>Apply the change with Terraform and go to AWS Console, search for any Code* services (CodePipeline for example). In the left panel go down to Settings &gt; Connections. In the pending one click "Update a pending connection". Press "Install a new app" and you will be prompted to log in to GitHub.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9lnh474ztagq87vya1i3.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9lnh474ztagq87vya1i3.jpg" alt="Search for CodePipeline" width="800" height="169"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffrk4mvn8d4gl1or6mvd1.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffrk4mvn8d4gl1or6mvd1.jpg" alt="Select Settings and Update pending connection" width="800" height="261"></a></p> <p>You will be presented with AWS Connector settings. In Repository access select "Only select repositories" and add your app repo to the list.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5v9e11h885s3urzn8oz.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5v9e11h885s3urzn8oz.jpg" alt="Only select repositories" width="513" height="299"></a></p> <p>If you want to add more repositories later, you can go to your GitHub account settings &gt; Integrations &gt; Applications and configure AWS Connector from there.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zge0ja7ut4gtexkhh6j.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3zge0ja7ut4gtexkhh6j.jpg" alt="Configure AWS Connector" width="800" height="408"></a></p> <h2> Creating the pipeline </h2> <p>Now as you already have the connection, you can use it to define the<br> CodePipeline. In a new file <code>codepipeline.tf</code> we will start drafting it. Do not deploy it yet, as you need at least source and build phases to be able to deploy it. We will also need a role and an S3 bucket to store the artifacts. Define them as well.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_codepipeline"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-pipeline"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">codepipeline_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">artifact_store</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">codepipeline_staging</span><span class="p">.</span><span class="nx">bucket</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S3"</span> <span class="p">}</span> <span class="c1"># Stage 1: Source - Pull code from GitHub</span> <span class="nx">stage</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Source"</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Source"</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"Source"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="k">provider</span> <span class="p">=</span> <span class="s2">"CodeStarSourceConnection"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">output_artifacts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"source_output"</span><span class="p">]</span> <span class="nx">configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ConnectionArn</span> <span class="p">=</span> <span class="nx">aws_codestarconnections_connection</span><span class="p">.</span><span class="nx">github</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">FullRepositoryId</span> <span class="p">=</span> <span class="s2">"ppabis/demo-app"</span> <span class="nx">BranchName</span> <span class="p">=</span> <span class="s2">"main"</span> <span class="nx">DetectChanges</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># ... Next steps will follow</span> <span class="p">}</span> </code></pre> </div> <p>I will load the policies from JSON files to make the Terraform structure more readable. You can see all the defined policies here (also for CodeBuild): <a href="https://github.com/ppabis/ECS-CodePipeline-TwoEnvironments/tree/master/policies" rel="noopener noreferrer">policies on GitHub</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"codepipeline_staging"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"pipeline-99819188-makeitunique"</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># IAM Role for CodePipeline</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"codepipeline_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-codepipeline-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"policies/assume_codepipeline.json"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"codepipeline"</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"codepipeline_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-codepipeline-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">codepipeline_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"policies/codepipeline.json"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">bucket_name</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">codepipeline_staging</span><span class="p">.</span><span class="nx">id</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> CodeBuild instance to build Docker images </h2> <p>Next we will create a CodeBuild project that will build and push the Docker image. It is possible to limit it to the VPC (and use your own Elastic IP for example due to DockerHub limits) but I will just use a public instance for simplicity. I will also create IAM role and a log group so that we see what is happening during the build. In <code>codebuild.tf</code> write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># IAM Role for CodeBuild</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"codebuild_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-codebuild-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"policies/assume.json"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"codebuild"</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"codebuild_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-codebuild-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">codebuild_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"policies/codebuild.json"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">bucket_name</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">codepipeline_staging</span><span class="p">.</span><span class="nx">id</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># CloudWatch Log Group for CodeBuild</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_log_group"</span> <span class="s2">"codebuild"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/aws/codebuild/demo-build-push"</span> <span class="nx">retention_in_days</span> <span class="p">=</span> <span class="mi">7</span> <span class="p">}</span> <span class="c1"># CodeBuild project for building and pushing Docker image</span> <span class="k">resource</span> <span class="s2">"aws_codebuild_project"</span> <span class="s2">"build_and_push"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-build-push"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Build Docker image and push to ECR"</span> <span class="nx">service_role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">codebuild_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">build_timeout</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">artifacts</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CODEPIPELINE"</span> <span class="p">}</span> <span class="nx">source</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CODEPIPELINE"</span> <span class="p">}</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">compute_type</span> <span class="p">=</span> <span class="s2">"BUILD_GENERAL1_SMALL"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"aws/codebuild/amazonlinux-aarch64-standard:3.0"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ARM_CONTAINER"</span> <span class="nx">privileged_mode</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">image_pull_credentials_type</span> <span class="p">=</span> <span class="s2">"CODEBUILD"</span> <span class="nx">environment_variable</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ECR_REPOSITORY_URL"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_ecr_repository</span><span class="p">.</span><span class="nx">demo_app</span><span class="p">.</span><span class="nx">repository_url</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">logs_config</span> <span class="p">{</span> <span class="nx">cloudwatch_logs</span> <span class="p">{</span> <span class="nx">group_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_log_group</span><span class="p">.</span><span class="nx">codebuild</span><span class="p">.</span><span class="nx">name</span> <span class="nx">stream_name</span> <span class="p">=</span> <span class="s2">"build-logs"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now we can attach the build project to the pipeline as the next step after source. We will control the process from the app repository using <code>buildspec.yml</code> that we will define later. I will also add another step that will read <code>imagespec.json</code> that will contain changes for ECS service and deploy it to ECS. Add the following to your existing <code>codepipeline.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_codepipeline"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-pipeline"</span> <span class="c1"># ... previous steps</span> <span class="c1"># Stage 2: Build - Build Docker image and push to ECR</span> <span class="nx">stage</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Build"</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Build"</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"Build"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="k">provider</span> <span class="p">=</span> <span class="s2">"CodeBuild"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">input_artifacts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"source_output"</span><span class="p">]</span> <span class="nx">output_artifacts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"build_output"</span><span class="p">]</span> <span class="nx">configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ProjectName</span> <span class="p">=</span> <span class="nx">aws_codebuild_project</span><span class="p">.</span><span class="nx">build_and_push</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Stage 3: Deploy - Deploy to ECS</span> <span class="nx">stage</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Deploy"</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Deploy"</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"Deploy"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="k">provider</span> <span class="p">=</span> <span class="s2">"ECS"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">input_artifacts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"build_output"</span><span class="p">]</span> <span class="nx">configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ClusterName</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">ServiceName</span> <span class="p">=</span> <span class="nx">aws_ecs_service</span><span class="p">.</span><span class="nx">dev</span><span class="p">.</span><span class="nx">service_name</span> <span class="nx">FileName</span> <span class="p">=</span> <span class="s2">"imagespec.json"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can deploy this Terraform configuration. It will fail but it is expected as we have no <code>buildspec.yml</code> defined anywhere.</p> <h2> Creating demo app </h2> <p>In your demo app repository create a sample app that will be deployed into the service. For now it will be just a Dockerfile with Nginx and some sample HTML page. I will also alias <code>/dev</code> to the root so that the same container can be used with multiple paths in ALB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> public.ecr.aws/nginx/nginx:1.29</span> <span class="k">COPY</span><span class="s"> index.html /usr/share/nginx/html/index.html</span> <span class="k">COPY</span><span class="s"> nginx.conf /etc/nginx/conf.d/default.conf</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">_</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">root</span> <span class="n">/usr/share/nginx/html</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.html</span> <span class="s">index.htm</span><span class="p">;</span> <span class="p">}</span> <span class="kn">location</span> <span class="n">/dev/</span> <span class="p">{</span> <span class="kn">alias</span> <span class="n">/usr/share/nginx/html/</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.html</span> <span class="s">index.htm</span><span class="p">;</span> <span class="p">}</span> <span class="kn">error_page</span> <span class="mi">500</span> <span class="mi">502</span> <span class="mi">503</span> <span class="mi">504</span> <span class="n">/50x.html</span><span class="p">;</span> <span class="kn">location</span> <span class="p">=</span> <span class="n">/50x.html</span> <span class="p">{</span> <span class="kn">root</span> <span class="n">/usr/share/nginx/html</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I will also create a <code>buildspec.yml</code> in the root of the repository. This will enable us to control the flow of the build in the CodeBuild project. First we need to log in to the ECR registry using Docker and then we can build and push the images. At the last step, we need to produce a change that will be deployed to ECS service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="m">0.2</span> <span class="na">phases</span><span class="pi">:</span> <span class="na">pre_build</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo Logging in to Amazon ECR...</span> <span class="pi">-</span> <span class="s">export AWS_REGION=$(echo $ECR_REPOSITORY_URL | cut -d '.' -f 4)</span> <span class="pi">-</span> <span class="s">aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_REPOSITORY_URL</span> <span class="pi">-</span> <span class="s">IMAGE_TAG=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)</span> <span class="na">build</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker build -t $ECR_REPOSITORY_URL:$IMAGE_TAG .</span> <span class="pi">-</span> <span class="s">docker tag $ECR_REPOSITORY_URL:$IMAGE_TAG $ECR_REPOSITORY_URL:latest</span> <span class="pi">-</span> <span class="s">docker push $ECR_REPOSITORY_URL:latest</span> <span class="pi">-</span> <span class="s">docker push $ECR_REPOSITORY_URL:$IMAGE_TAG</span> <span class="na">post_build</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">printf '[{"name":"web","imageUri":"%s"}]' $ECR_REPOSITORY_URL:$IMAGE_TAG &gt; imagespec.json</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">imagespec.json</span> </code></pre> </div> <p>After you push the changes, a new build should be triggered. If not, try to go to the AWS Console, find the pipeline in CodePipeline and retry or try pressing "Release change". If you now go to the ALB's URL under <code>/dev</code>, you should see some HTML page. On the left you see deafult Nginx page of the production service and on the right some vibe-coded futuristic page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjf1evyt6u6vagr1tebhe.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjf1evyt6u6vagr1tebhe.jpg" alt="Some HTML page on dev" width="800" height="348"></a></p> <h2> Pipeline for production deployments </h2> <p>For now the pipeline pushes only to dev. I will create a new stage and actions that will run only if someone accepts the development build and deploy it to production service. This stage will have two actions: manual approval with run order of 1 and another deployment with run order of 2. This makes the second action dependent on the first and lets us save on unnecessary extra stages.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdikrm7t63fkzelq0oysy.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdikrm7t63fkzelq0oysy.jpg" alt="Pipeline diagram with production deployment" width="608" height="261"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_codepipeline"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-pipeline"</span> <span class="c1"># ... Previous stages</span> <span class="nx">stage</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Acceptance"</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ApproveProduction"</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"Approval"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="k">provider</span> <span class="p">=</span> <span class="s2">"Manual"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">run_order</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"DeployProduction"</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"Deploy"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="k">provider</span> <span class="p">=</span> <span class="s2">"ECS"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">input_artifacts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"build_output"</span><span class="p">]</span> <span class="nx">run_order</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ClusterName</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ecs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">ServiceName</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ecs</span><span class="p">.</span><span class="nx">services</span><span class="p">[</span><span class="s2">"prod"</span><span class="p">].</span><span class="nx">name</span> <span class="nx">FileName</span> <span class="p">=</span> <span class="s2">"imagespec.json"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If you now go to the console and press "Release change" the pipeline will run again. It will rebuild the image, deploy to development but the last stage will wait for your acceptance.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzuo4h0sb05hf1hdu7kcg.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzuo4h0sb05hf1hdu7kcg.jpg" alt="Waiting for acceptance" width="666" height="336"></a></p> <p>You can press on the action with the blue clock and select either "Accept" or "Reject". In the comment box you can state reasons for either choice. This info will be saved for the current pipeline run. After the acceptance, another deployment job will be run and you should see the same page on development and production.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiinslaz6bmg1h4jfflmh.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiinslaz6bmg1h4jfflmh.jpg" alt="Deploying to production" width="666" height="336"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuvqqj6fzx33u7wqyiac3.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuvqqj6fzx33u7wqyiac3.jpg" alt="Same page on dev and production" width="800" height="375"></a></p> <p>The completed repository is available on the master branch on GitHub:<br> <a href="https://github.com/ppabis/ECS-CodePipeline-TwoEnvironments" rel="noopener noreferrer">ppabis/ECS-CodePipeline-TwoEnvironments</a>.<br> Example app is also public:<br> <a href="https://github.com/ppabis/demo-app" rel="noopener noreferrer">ppabis/demo-app</a>.</p> aws docker cicd Piotr Pabis Mon, 01 Sep 2025 05:41:25 +0000 https://forem.com/aws-builders/you-have-to-upgrade-to-soci-v2-2p2f https://forem.com/aws-builders/you-have-to-upgrade-to-soci-v2-2p2f <p>Around May 2025, AWS started updating SOCI Snapshotter GitHub repo to support SOCI indexes v2. This is a refreshed model that simplifies the index management. It's easier to find which index refers to which image/tag with this new version. Because of that I also updated the tool I have presented in the previous post, so that it also supports latest SOCI version.</p> <p>Previous post you can find here: <a href="https://pabis.eu/blog/2025-06-17-Faster-ECS-Startup-SOCI-Index-GitLab-Pipeline.html" rel="noopener noreferrer">https://pabis.eu/blog/2025-06-17-Faster-ECS-Startup-SOCI-Index-GitLab-Pipeline.html</a></p> <p>The new standalone SOCI indexer is in this GitHub repo: <a href="https://github.com/ppabis/ecr-aws-soci-index-builder/tree/v0.11.2" rel="noopener noreferrer">github.com/ppabis/ecr-aws-soci-index-builder/tree/v0.11.2</a></p> <h2> Disclaimer ⚠️ </h2> <p>SOCI V1 feature is disabled by default in all accounts that did not submit a Support ticket to AWS. As previously mentioned, this wasn't announced anywhere but Support confirmed eventually that SOCI V1 is gated since beginning of 2025. SOCI V2 is enabled by default in all accounts. What is more, very recently AWS announced (August 27, 2025) that SOCI V1 will be deprecated until February 9, 2026.</p> <h2> 📦 Architecture for our experiments </h2> <p>If you want to play around with these tools, you can clone the repository from here. I used OpenTofu but it should also work well with Terraform. Just provide the credentials and run <code>tofu apply</code>.</p> <p><a href="https://github.com/ppabis/soci-v2-experiments" rel="noopener noreferrer">https://github.com/ppabis/soci-v2-experiments</a></p> <p>I have created a VPC with all the essentials like NAT gateway, subnets, two EC2 instances that can be used for building the images and indexes, ECR repository and a simple ECS Fargate service. Once you create this environment, wait two or three minutes because the EC2 instances should build the images for respective architectures and push them to ECR on startup. After that you can SSH into one of them using EC2 Instance Connect and create an image index of both images.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Log in to any instance. Check tofu output to get the commands</span> aws ec2-instance-connect ssh <span class="se">\</span> <span class="nt">--region</span> us-east-2 <span class="se">\</span> <span class="nt">--instance-id</span> i-05234fc9c1275999d <span class="se">\</span> <span class="nt">--instance-ip</span> 10.60.2.140 <span class="se">\</span> <span class="nt">--connection-type</span> eice <span class="se">\</span> <span class="nt">--os-user</span> ec2-user </code></pre> </div> <p>Now using the following commands, we can create a multi-arch image. This is a good practice if you sometimes want to save on costs - for example it can happen that x86 spot instances are cheaper at this point in time. As the images can be built in parallel, the cost is very small while there is a good potential for savings in the future.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Change this to your registry and region. Check tofu output to get the value.</span> <span class="nb">export </span><span class="nv">ECR_REGISTRY</span><span class="o">=</span><span class="s2">"889900112233.dkr.ecr.us-east-2.amazonaws.com"</span> aws ecr get-login-password | docker login <span class="nt">-u</span> AWS <span class="nt">--password-stdin</span> <span class="nv">$ECR_REGISTRY</span> docker manifest create <span class="se">\</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:latest <span class="se">\</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:arm64 <span class="se">\</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:amd64 docker manifest annotate <span class="se">\</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:latest <span class="se">\</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:arm64 <span class="se">\</span> <span class="nt">--arch</span> arm64 docker manifest annotate <span class="se">\</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:latest <span class="se">\</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:amd64 <span class="se">\</span> <span class="nt">--arch</span> amd64 docker manifest push <span class="nv">$ECR_REGISTRY</span>/soci-repo:latest </code></pre> </div> <p>In your ECR repository you should now see three images: two actual images and one index like on the image below. These are not SOCI enabled.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuziv8ih84edfei579fsz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuziv8ih84edfei579fsz.png" alt="ECR without SOCI index" width="800" height="268"></a></p> <p>We can use ORAS to analyze how this new manifest looks like. It should have just two entries for Intel image and ARM image. On the instances I have already installed ORAS using user data but you can get more information about it here: <a href="https://oras.land" rel="noopener noreferrer">oras.land</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr get-login-password | oras login <span class="nt">-u</span> AWS <span class="nt">--password-stdin</span> <span class="nv">$ECR_REGISTRY</span> oras manifest fetch <span class="nv">$ECR_REGISTRY</span>/soci-repo:latest </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schemaVersion"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.distribution.manifest.list.v2+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"manifests"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.distribution.manifest.v2+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">2613</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:cf8488c22543c8ac676dbea9ceb99abb7120799405b05b4098149bed20bf14b3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"platform"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"architecture"</span><span class="p">:</span><span class="w"> </span><span class="s2">"amd64"</span><span class="p">,</span><span class="w"> </span><span class="nl">"os"</span><span class="p">:</span><span class="w"> </span><span class="s2">"linux"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.distribution.manifest.v2+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">2613</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:a60af31eb40bb689c25aa23748707fdbd0d698734bbdb58ba3ee3597fb214379"</span><span class="p">,</span><span class="w"> </span><span class="nl">"platform"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"architecture"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arm64"</span><span class="p">,</span><span class="w"> </span><span class="nl">"os"</span><span class="p">:</span><span class="w"> </span><span class="s2">"linux"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Creating SOCI V1 index 1️⃣ </h2> <p>We can now create old SOCI V1 index using the tool that should also be available on the instance. You can run it in Docker and just provide the URIs as well as requested SOCI index version. With V1 you can't point to an index as it will result in an error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-e</span> <span class="nv">AWS_REGION</span><span class="o">=</span>us-east-2 soci-gen:latest <span class="nt">-repository</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:latest <span class="nt">-soci-index-version</span> V1 <span class="o">{</span><span class="s2">"level"</span>:<span class="s2">"warn"</span>,<span class="s2">"RegistryURL"</span>:<span class="s2">"889900112233.dkr.ecr.us-east-2.amazonaws.com"</span>,<span class="s2">"time"</span>:<span class="s2">"2025-08-29T07:00:26Z"</span>,<span class="s2">"message"</span>:<span class="s2">"Image manifest validation error: not a valid image manifest: empty config media type"</span><span class="o">}</span> <span class="c"># Generate SOCI V1 indexes for arm64 and amd64 separately</span> <span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-e</span> <span class="nv">AWS_REGION</span><span class="o">=</span>us-east-2 soci-gen:latest <span class="nt">-repository</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:amd64 <span class="nt">-soci-index-version</span> V1 <span class="nv">$ </span>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-e</span> <span class="nv">AWS_REGION</span><span class="o">=</span>us-east-2 soci-gen:latest <span class="nt">-repository</span> <span class="nv">$ECR_REGISTRY</span>/soci-repo:arm64 <span class="nt">-soci-index-version</span> V1 </code></pre> </div> <p>In ECR you will see now two additional entries that are untagged. They will be of type <code>application/vnd.amazon.soci.index.v1+json</code>. However, even if you now download the manifest of any of the images or image index, nothing will change. SOCI V1 index is just a manifest uploaded to the repository.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftcjhxjk6ydpkm29y2oqd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftcjhxjk6ydpkm29y2oqd.png" alt="SOCI V1 Indexes" width="800" height="344"></a></p> <h2> 🤔 The problem with V1 indexes </h2> <p>In order to find if an index exists for a specific image, you either have to scan all the indexes in the repo or have some database mechanism that stored a map of indexes and image hashes. A way to imagine this problem is with simple files and directories. Let's say you have a directory that represents your container image repository. You have several <code>tar.gz</code> files that are actual images and some <code>soci.json</code> files that are SOCI indexes (this example is just simplification).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ ls myrepo 78160dbe.tar.gz 685511a5.tar.gz 3385ce09.soci.json 632fe5f2.soci.json 5663eace.soci.json </code></pre> </div> <p>Let's assume that you want to pull image <code>78160dbe</code>. To check if you have a SOCI index for this image, you need to either check all the <code>.soci.json</code> files or have some database that has a list of that. In each <code>.soci.json</code> file, there's a "Subject" field that has a hash of the image it relates to.</p> <p>When you download the JSON that sits behind this entry, you can see the SHA sum of the image for which the SOCI index was created (at the bottom under <code>subject</code>). When you look at the JSON manifest of the image, there's no relation to the SOCI index - it's just a plain old Docker manifest.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fetch the SOCI V1 index</span> oras manifest fetch 0123456789012.dkr.ecr.us-east-2.amazonaws.com/soci-repo@sha256:d00c6532ae6925dc10527d85eb77ec048c5661bf8a6bf460ee53be474e38f5de | jq </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schemaVersion"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.oci.image.manifest.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.amazon.soci.index.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:d00c6532ae6925dc10527d85eb77ec048c5661bf8a6bf460ee53be474e38f5de"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"layers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/octet-stream"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:5a317781e98d5b9e06ff67dfcd721fde46eb30e48af5ec959ff15260124521d9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1387368</span><span class="p">,</span><span class="w"> </span><span class="nl">"annotations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"com.amazon.soci.image-layer-digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:fbe4cc75eed0371e58892a650547fc4b104356b21b2da1ef76c9219247af9cc9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"com.amazon.soci.image-layer-mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.image.rootfs.diff.tar.gzip"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">More</span><span class="w"> </span><span class="err">ztoc</span><span class="w"> </span><span class="err">layers</span><span class="w"> </span><span class="err">continue</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.distribution.manifest.v2+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:2b0d259f8f55f97f4052afd5bba0cc54cc394206767de85386a379493a75af8d"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">2613</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"annotations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"com.amazon.soci.build-tool-identifier"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS SOCI CLI v0.2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>To find if an image has a SOCI index, we can use <code>oras discover</code> command. It finds the relationships between untagged artifacts 😮. For example to locate the SOCI v1 index of <code>arm64</code> image, I use the following command. This is this magical database I was talking about. Notice that the hash of the index matches what we just downloaded.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>oras discover 0123456789012.dkr.ecr.us-east-2.amazonaws.com/soci-repo:arm64 0123456789012.dkr.ecr.us-east-2.amazonaws.com/soci-repo@sha256:a60af31eb40bb689c25aa23748707fdbd0d698734bbdb58ba3ee3597fb214379 └── application/vnd.amazon.soci.index.v1+json └── sha256:d00c6532ae6925dc10527d85eb77ec048c5661bf8a6bf460ee53be474e38f5de </code></pre> </div> <p>On my current account, where I requested SOCI V1 to be enabled, it still works. But when I tested on another clean account, it indeed did not show up in ECS. The example service in the repository fetches ECS metadata of the task and the container. If the <code>Snapshotter</code> field is <code>soci</code> that means either SOCI V1 or V2 was used. If it is <code>overlayfs</code> that means no SOCI index was found or you are trying to use SOCI V1 on an account where it is disabled.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjchmwz97kw818a4yjpit.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjchmwz97kw818a4yjpit.png" alt="Snapshotter: soci" width="800" height="375"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05k9ztavj2zwubhhfhqr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05k9ztavj2zwubhhfhqr.png" alt="Snapshotter: overlayfs" width="800" height="358"></a></p> <h2> Upgrade to SOCI V2 🚀 </h2> <p>I used a new version of the standalone indexer I modified from the Lambda tool. It does not overwrite the original tag but creates a new one with <code>-soci</code> suffix. That way you can have both SOCI-indexed alongside same non-indexed image in the repository. Back in SOCI v1, unless deleted, the index was always retrieved for a particular image if the runtime has the feature enabled.</p> <p>With SOCI V2 things are more reliable. The index is also kept in a similar file, however, the connection between index and image is stored both in the index file itself but also in another manifest file that is tagged. So once you pull <code>myimage:latest-soci</code>, a manifest is loaded first that contains links to both the actual layered image as well as the SOCI index. It makes it quicker and less complicated to manage. What is more, you can control whether you want to use SOCI enhanced image or a normal one by changing a tag.</p> <p>I have built SOCI V2 index against the multi-arch index we created earlier, as this use case is supported now. The command is almost the same. However, you can also point to the image directly. In both cases, a new index will be created.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhmzhnefdbe02zeeghkaq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhmzhnefdbe02zeeghkaq.png" alt="ECR with SOCI v2 index" width="800" height="339"></a></p> <p>On the image above you can see also some two untagged images. These are the same as the tagged <code>arm64</code> and <code>amd64</code> images but their manifests were converted to OCI format (from a default Docker one). If you inspect the two, the layers are untouched and have the same hashes - only media type is changed. You won't pay for more storage as the layers are shared. I verified that with ORAS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fetch original Docker manifest</span> oras manifest fetch 0123456789012.dkr.ecr.us-east-2.amazonaws.com/soci-repo:arm64 <span class="c"># Fetch converted OCI manifest of the same image</span> oras manifest fetch 0123456789012.dkr.ecr.us-east-2.amazonaws.com/soci-repo@sha256:cdd640f4e50444a0be5e10c5698bc27904e68e1246b90acf18521b4117df83da | jq </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schemaVersion"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.distribution.manifest.v2+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.container.image.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">8072</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:873cf5dabf17fcf461fbfc55c9785fa2fcf282b55b96e6ef0508a944166cb514"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"layers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.image.rootfs.diff.tar.gzip"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">31373560</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:fbe4cc75eed0371e58892a650547fc4b104356b21b2da1ef76c9219247af9cc9"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.image.rootfs.diff.tar.gzip"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1270307</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:3cd5add3ba3330f959ed1b27096bfb25e2f29a4cf327009d69855a903036f3af"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schemaVersion"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.oci.image.manifest.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.oci.image.config.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:873cf5dabf17fcf461fbfc55c9785fa2fcf282b55b96e6ef0508a944166cb514"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">8072</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"layers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.image.rootfs.diff.tar.gzip"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:fbe4cc75eed0371e58892a650547fc4b104356b21b2da1ef76c9219247af9cc9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">31373560</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.docker.image.rootfs.diff.tar.gzip"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:3cd5add3ba3330f959ed1b27096bfb25e2f29a4cf327009d69855a903036f3af"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1270307</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> ☹️ Multi-arch limitation? </h2> <p>As least with the tool I have converted from Lambda there actually is a limitation. Even though as you saw, both <code>arm64</code> and <code>amd64</code> images were converted to OCI format, SOCI index was only created for the platform you run the tool from. It essentially behaves the same was as you would pull a default image. When I tried to force creation of <code>amd64</code> index on arm64 instance, it failed by trying to download actual arm64 image from <code>amd64</code> tag. When you fetch the manifest of the <code>-soci</code> tagged image, you can see that it only contains one SOCI entry and two OCI image entries for both architectures.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get new image index manifest generated by SOCI v2</span> oras manifest fetch 0123456789012.dkr.ecr.us-east-2.amazonaws.com/soci-repo:latest-soci </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schemaVersion"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.oci.image.index.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"manifests"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.oci.image.manifest.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:6771831a7bfa83d50a462058c462c4b5b7ebc5ad47bc72bc9894f85bfedbbeef"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">2027</span><span class="p">,</span><span class="w"> </span><span class="nl">"platform"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"architecture"</span><span class="p">:</span><span class="w"> </span><span class="s2">"amd64"</span><span class="p">,</span><span class="w"> </span><span class="nl">"os"</span><span class="p">:</span><span class="w"> </span><span class="s2">"linux"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.oci.image.manifest.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:cdd640f4e50444a0be5e10c5698bc27904e68e1246b90acf18521b4117df83da"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">2148</span><span class="p">,</span><span class="w"> </span><span class="nl">"annotations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"com.amazon.soci.index-digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:963e2cc55b42e73b6f51530d9956ed03cb204bf0fce0b2608a1a4e7674e7c354"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"platform"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"architecture"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arm64"</span><span class="p">,</span><span class="w"> </span><span class="nl">"os"</span><span class="p">:</span><span class="w"> </span><span class="s2">"linux"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mediaType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.oci.image.manifest.v1+json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:963e2cc55b42e73b6f51530d9956ed03cb204bf0fce0b2608a1a4e7674e7c354"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1394</span><span class="p">,</span><span class="w"> </span><span class="nl">"annotations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"com.amazon.soci.image-manifest-digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:cdd640f4e50444a0be5e10c5698bc27904e68e1246b90acf18521b4117df83da"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"platform"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"architecture"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arm64"</span><span class="p">,</span><span class="w"> </span><span class="nl">"os"</span><span class="p">:</span><span class="w"> </span><span class="s2">"linux"</span><span class="p">,</span><span class="w"> </span><span class="nl">"variant"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v8"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"artifactType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"application/vnd.amazon.soci.index.v2+json"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>However, when I created a new manifest and merged two SOCI V2 image indexes together (4 entries in total) along with all annotations to match, the ECS service as able to use SOCI snapshotter for both architectures so the limitation is only in the tool. You can find the example index here: <a href="https://github.com/ppabis/soci-v2-experiments/blob/787a9c67368838e757234dc0cd313cfa549c8674/manifest-new.json" rel="noopener noreferrer"><code>manifest-new.json</code></a>. I used ORAS to forcefully push it to ECR.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>oras manifest push 889900112233.dkr.ecr.us-east-2.amazonaws.com/soci-repo:latest-soci-2 manifest-new.json </code></pre> </div> <p><strong>But!</strong> I asked in the issues of the original SOCI Snapshotter for the feature and it turns out it was there under the flag <code>--all-platforms</code>. By analyzing the code I backported it to my tool and now it generated all the platforms by default (you can't change this behavior).</p> <h2> Conclusion </h2> <p>SOCI V2 is not a big or breaking change. It simplifies the management of indexes and makes it easier for the registry provider to handle them. They are treated the same way as regular artifacts stored in the registry and always bound by a manifest.</p> ecs aws containers docker