AWS Technologies used
| Technology | Icon |
|---|---|
| AWS Organizations | |
| Cloudfront | |
| Lambda | |
| Api Gateway | |
| S3 | |
| SNS | |
| Cloudwatch | |
| DynamoDB | |
| ACM |
Other Technologies
| Cloudflare | |
| Terraform |
Cloud resume challenge
The objective of The Cloud Resume Challenge is to probe knowledge in multiple AWS and cloud technologies making a practical project. The proposed project in this challenge is building a webpage where you can show your curriculum. In this project the following AWS technologies are used:
A brief explanation of the architecture:
- The static website is hosted in an S3 bucket. Also persistent data, like for example a visitor counter, is saved in DynamoDB.
- Several Lambda functions are used: one for processing client request and other one to build an additional fuctionality making a "cheap DDoS protection". This DDoS protection was just to play a bit more with AWS and try a recent functionality of Cloudwatch Alarms: triggerin a Lambda when the state of a CloudWatch alarm change.
- All the infraestructure is coded in Terraform, including domain validation using Cloudflare provider.
- Unit Testing was used with this project: Smoke Test using Cypress and Unittesting using Pytest.
Some problems solved:
- Debugging why Cloudwatch alarm was not triggering a Lambda function. Details below.
- Allowing a Lambda function to rename files in the S3 bucket because of permissions. Details below
- Solving and debugging CORS related problems. Thanks Cloudwatch logs and Browser Developer tools!
- Certificate validation using Terraform.
Cloudwatch alarm is not autorhized to trigger the Lambda used as DDoS protection.
AWS introduced a new functionality at the end of 2023 so Cloudwatch alarms could trigger directly a Lambda function when they change of state. It was straightforward to assing an AWS Lamda at the Alarm creation but it didn't worked after the alarm was created. I got the following error:
I went to the Lambda resource policy to authorize Cloudwatch to trigger it but it didn't work. After a long research I found that I needed to authorize the principal "lambda.alarms.cloudwatch.amazonaws.com". I was authorizing the wrong principal "cloudwatch.amazonaws.com". The problem is that this is a very new feature so it was impossible to find the right principal that are Cloudwatch alarms, all the answers of similar problems over Reddit, stackoverflow just said the principal for alarms is"cloudwatch.amazonaws.com". I only found one post ( Thanks いわさ!!) with this error in all the Internet:
When I authorized principal "lambda.alarms.cloudwatch.amazonaws.com" the problem was solved:
Lambda used as DDoS protection can't rename files in the S3 bucket because of permissions
The error was how to authorize a Lamda to access S3 objects. I updated its role to access my S3 bucket but it wasn't enought. So I need to update hte S3 resource policy to allow access of my Lambda, but how? At the end I found that I need to authorize the "role" of the Lamda instead of the Lamda itself. Lamda get the "role hat" each time it executes:
