automate the control, the purge and the management of AWS accounts assigned permanently to selected employees - foster innovation from cloud teams
License: Apache License 2.0
With ChatOps we can bring progressive and explainable automation to the operation of SPA. A use case is when a billing alert has been hit, to send a message over chat to someone and to validate that an action has been taken. Another use case is the conditional deletion of cloud resources, validated by the resource owner.
SPA has been introduced to reduce as much as possible the administration burden of many AWS accounts. In order to scale, there is a need for SPA to interact directly with the owners of AWS accounts for simple and repetitive tasks.
The architecture is leveraging event-driven supported by Eventbridge
Learn more:
Other tickets will be created for the progressive development of ChatOps capabilities:
Purpose of this epic is to ensure that no Storm reply consultant is using IAM user credential to access the sandbox account, once everybody has received a personal AWS account for himself.
For each IAM user found on sandbox account 792281704736:
Currently code is leveraging the default Lambda infrastructure, powered by x86. We would like to change this to ARM and save 20% on costs, as per following document.
Reference:
This optional feature is aiming to close the feedback loop via social channels. When a billing alert is raised, or when a CodeBuild projects fails for some reason, the information is pushed to a channel with multiple eyes.
Currently SPA distributes alerts and notifications over e-mail. While mailing lists can be helpful, they have proven less reactive than social exposure. For example, if a team member goes beyond his budget, he can neglect proper handling of the billing alert in his inbox. But if the same alert is exposed on a social channel, then the person will receive encouragements from the entire team to fix the issue.
Our first requirement is to limit blast radius of any action engaged in the context of the Management account of the AWS Organization. For that, we will run code either in the context of the Automation account, or in the context of individual personal accounts. Since code ran in Automation has to move accounts around, there is a need to grant specific permissions via a role and a trusted relationship managed in IAM.
Here is how the sequence of actions is looking like for moving an account from one OU to another one:
Policy SandboxPowerAccess is defined using multiple identifiers:
organization_identifier - something like o-a1b2c3d4e5root_ou_identifier - something like r-f6g7h8i9j0examplesandbox_ou_identifier - a string starting with ou-vanilla_accounts_ou_identifier - a string starting with ou-assigned_accounts_ou_identifier - a string starting with ou-released_accounts_ou_identifier - a string starting with ou-expired_accounts_ou_identifier - a string starting with ou-management_accountautomation_accounttest_account - account used for testsWith that in mind, you can create the policy SandboxPowerAccess by substituting values in following template:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:*"
],
"Resource": [
"arn:aws:organizations::{management_account}:account/{organization_identifier}/*",
"arn:aws:organizations::{management_account}:ou/{organization_identifier}/{vanilla_accounts_ou_identifier}",
"arn:aws:organizations::{management_account}:ou/{organization_identifier}/{assigned_accounts_ou_identifier}",
"arn:aws:organizations::{management_account}:ou/{organization_identifier}/{released_accounts_ou_identifier}",
"arn:aws:organizations::{management_account}:ou/{organization_identifier}/{expired_accounts_ou_identifier}"
]
},
{
"Effect": "Allow",
"Action": [
"account:*",
"codebuild:*",
"iam:*"
],
"Resource": "*"
}
]
}Epic:
Authenticate in root account and take note of identifiers listed above
Go to IAM console and create policy SandboxPowerAccess, based on previous template
Create role ServiceRoleForAutomation and attach policy SandboxPowerAccess to it. Add trusted relationship with account Automation.
Authenticate to account Automation and add an IAM policy AssumeServiceRoleForAutomation, that allows to assume role ServiceRoleForAutomation in account Management
To test the overall setup, there is a need to create an EC2 instance in the context of Automation, to connect to it, to assume role ServiceRoleForAutomation in Management account, and to pass commands to move accounts in AWS CLI
With this feature, SPA gets from the Cost Explorer API a report for a given account and attaches it to an ongoing incident record
When an incident record is created on budget alert, there is a need to provide contextual information to responders. This is eliminating manual checks that are performed during resolution.
More information:
When accounts are moved between OU , this cause a drift status in the CT dashboard, and the account isn't governed anymore. You need to reregister the OU afterward.
PB :
In make setup :
npm install -g aws-cdk@latest --force
...
npm install -g @marp-team/marp-cli --force
fails with permission denied if not root (cause -g is global and /usr/lib/node_modules/ is not world writable neither all of modules)
The Automation AWS account is hosting all central computing and storage resources used for SPA. The EventBridge bus used by SPA is the default bus of the Automation AWS account itself.
Grant permissions to allow events from other AWS accounts. While the bus does not need to be created, there is a need to configure it for cross-account event submission. This has to be done once.
Create a CloudWatch log group to reflect events generated by AWS Organizations. After authentication to Automation account, go to Ireland region and create a CloudWatch log group. Select name /aws/events/aws-organizations-events and retention period of 30 days.
Test the manual deployment by moving an account from one OU to another OU, and then move it back to the original OU. This should generate two events visible in CloudWatch logs. Copy these events and put each of them in a .json file in the folder /tests/events of this git repository.
Delete the CloudWatch log group and the EventBridge rule that were created manually.
Create python code with CDK to automate the creation of CloudWatch log group and EventBridge. Script should be named deploy_resources.py and be placed in the root directory of this repository.
Run python code and deploy resources in Automation account.
Test the automated deployment by moving an account from one OU to another OU, and then move it back to the original OU. This should generate two events visible in CloudWatch logs.
NB : Tag all manually created ressources with : "Stack:sustainable-personal-accounts" . BGA
Scenario: where cloud engineers can review what would be destroyed in their accounts
Given an expired account
When the purge is done in dry-run mode
Then the log of the purge is pushed to parameter store for easy access by cloud engineer
This Lambda function will scan organizational units and managed accounts, and tag accounts with state 'released'.
During normal operations the accounts are transitioned automatically from the state released to the states expired, assigned, prepared and released again. However, in a case of a bug into one of the processing Lambda functions, it may happen that the cycles break and that accounts stay in an intermediate state without additional processing.
Since the state of an account is contained in a tag attached to it, for such situations you can use AWS Organizations to change the state of any account. For this you would visit the page of each account and then change the tag account:state to the value released. This operation is feasible for some dozens of accounts, but can become tedious for large number of accounts. Therefore the need to reset accounts to the state released with a simple invocation of a Lambda function devoted to this usage.
ReleaseAccountsAs a solution owner,
I want to get guidance for the setup of automation account
So as to be able to deploy the automated solution afterwards
With the last arrivals, I encountered 2 problems and had to open a case with AWS support to get back control of the account :
Accounts should be created from the Account factory only. Else, setup must be completed and CTExecution Role manually created in the account (pb occured whith saad account).
Today SPA tags accounts with names such as account-owner and account-state. However, large corporations may want to use a different prefix.
Purpose of this change is to align SPA with corporate tagging policies defined for cloud resources.
Currently, Worker only has class methods. Most methods rely on a session parameter. Because of this, there is heavy cascading of session transmission across methods. To fix this, we suggest that instances of Worker are created to encapsulate session as instance attribute.
We introduce a single section of the settings file to capture all default settings that apply at account level. This is a change from previous situation where the default keyword could be used jointly within the accounts section and also in the organizational_units section.
This change streamlines the configuration of SPA with a single place to set default settings. Previously you could have to replciate default settings at two different places of the configuration file.
fixtures/settings/settings.yaml accordinglytests/test_configuration.py accordinglydefault in resources/configuration.pydefault in the section organizational_units in resources/configuration.pyorganizational_units have a name that are prefixed with ou-default in the section accounts in resources/configuration.pyaccounts have a name that are 12-digitsToday SSM Parameters created in the Automation account do not mention environment identifiers such as SpaAlpha etc.
https://github.com/prowler-cloud/prowler
Prowler is a command line tool that helps you with AWS security assessment, auditing, hardening and incident response.
It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has more than 190 additional checks including related to GDPR, HIPAA, PCI-DSS, ISO-27001, FFIEC, SOC2 and others.
Make deploy will fail if you configure to deploy on eu-west-3 due to arm64 no't available yet.
❌ Deployment failed: Error: Stack Deployments Failed: Error: The stack named SpaCommitted failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Architecture "arm64" is not supported in eu-west-3. Please select "x86_64" or remove the Architectures value from your request and try again (Service: Lambda, Status Code: 400, Request ID: 86cc75f7-53e7-481c-b049-7f464154bdd8)" (RequestToken: c8b878fb-3909-4930-05cb-2f6b01d54543, HandlerErrorCode: InvalidRequest), Resource handler returned message: "Architecture "arm64" is not supported in eu-west-3. Please select "x86_64" or remove the Architectures value from your request and try again (Service: Lambda, Status Code: 400, Request ID: a0e085ba-c4c7-41cf-a058-17ef5f3f99f0)" (RequestToken: 6b221b58-2201-02de-8377-f3dc062d7b5b, HandlerErrorCode: InvalidRequest), Resource handler returned message: "Architecture "arm64" is not supported in eu-west-3. Please select "x86_64" or remove the Architectures value from your request and try again (Service: Lambda, Status Code: 400, Request ID: 4ffd6aff-3192-4abc-8510-bf5fbddef80e)" (RequestToken: d31c3eb6-ed6f-8098-97da-0fa70f2bb833, HandlerErrorCode: InvalidRequest), Resource handler returned message: "Architecture "arm64" is not supported in eu-west-3. Please select "x86_64" or remove the Architectures value from your request and try again (Service: Lambda, Status Code: 400, Request ID: 43986f59-f13c-4b92-81e7-1ca615fce04d)" (RequestToken: f7fd9bb9-9b3e-72a4-e687-e7b9cffcbb7b, HandlerErrorCode: InvalidRequest), Resource handler returned message: "Architecture "arm64" is not supported in eu-west-3. Please select "x86_64" or remove the Architectures value from your request and try again (Service: Lambda, Status Code: 400, Request ID: 56180a28-09d3-48de-b2d9-38ff471a8da1)" (RequestToken: 3c159c43-bfc9-5a35-62b8-217a119c6e36, HandlerErrorCode: InvalidRequest)
at deployStacks (/usr/lib/node_modules/aws-cdk/lib/deploy.ts:61:11)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at CdkToolkit.deploy (/usr/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:314:7)
at initCommandLine (/usr/lib/node_modules/aws-cdk/lib/cli.ts:357:12)Since SPA tags account with personal addresses of persons, it should be considered as a data store of PII.
The management of PII is related to GDPR compliance.
[ ] Review GDPR constraints on PII for company employees
[ ] Add workbooks to document the life cycle of AWS accounts and related PII
While AWS-Nuke can filter out some resources, this is done only based on resource name. We would like to have more flexibility with resource tagging. One option to consider would be AWSweeper or similar.
Reference:
Hello, on my side encountered :
ERROR: flake8 4.0.1 has requirement mccabe<0.7.0,>=0.6.0, but you'll have mccabe 0.7.0 which is incompatible.
and
npm ERR! Error: EACCES: permission denied, rename '/usr/lib/node_modules/aws-cdk'
while make setup due to prior cdk install I guess
When doing sudo make setup, the setup manage both downgrading of mcabe and cdk
With this issue we develop and deploy all Lambda functions that are part of the SPA project. We do not include CodeBuild projects yet, and only want to control the overall flow of transitions across OU.
Pre-conditions:
Epic:
Write code for Lambda function MoveVanillaAccount in /code/move_vanilla_account_lambda.py. This function will receive an event generated by AWS Organizations, ensure that the OU is the one for Vanilla Accounts, extract the account id from the event itself, and move the account to the OU Assigned Accounts. Identifiers will be provided to the function as environment variables VANILLA_ACCOUNTS_OU_IDENTIFIER and ASSIGNED_ACCOUNTS_OU_IDENTIFIER.
Extend python script deploy_resources.py to automate the deployment of Lambda function MoveVanillaAccount. You should create a specific python construct for that purpose, with two parameters vanilla_accounts_ou_identifier and assigned_accounts_ou_identifier.
Test the deployment by moving one AWS account to the OU Vanilla Accounts. Ensure that execution of MoveVanillaAccount is reported in CloudWatch logs, and that the account is moved automatically to the OU Assigned Accounts.
Write code for Lambda function SignalAssignedAccount in /code/signal_assigned_account_lambda.py. This function will receive an event generated by AWS Organizations, ensure that the OU is the one for Assigned Accounts, and put an event PreparedAccount on the event bus. Identifier will be provided to the function as environment variable ASSIGNED_ACCOUNTS_OU_IDENTIFIER. Note that code is not complete here, since we do not create nor start a CodeBuild project yet.
Extend python script deploy_resources.py to automate the deployment of Lambda function SignalAssignedAccount. You should create a specific python construct for that purpose, with one parameters assigned_accounts_ou_identifier.
Write code for Lambda function MoveAssignedAccount in /code/move_assigned_account_lambda.py. This function will receive an event PreparedAccount, extract the account id from the event itself, and move the account from the OU Assigned Accounts to the OU Released Accounts. Identifiers will be provided to the function as environment variables ASSIGNED_ACCOUNTS_OU_IDENTIFIER and RELEASED_ACCOUNTS_OU_IDENTIFIER.
Extend python script deploy_resources.py to automate the deployment of Lambda function MoveAssignedAccount. You should create a specific python construct for that purpose, with two parameters assigned_accounts_ou_identifier and released_accounts_ou_identifier.
Test the deployment by moving one AWS account to the OU Vanilla Accounts. Ensure that execution of MoveVanillaAccount, of SignalAssignedAccount, and of MoveAssignedAccount are reported in CloudWatch logs, and that the account is moved automatically to the OU Released Accounts.
Write code for Lambda function SignalExpiredAccount in /code/signal_expired_account_lambda.py. This function will receive an event generated by AWS Organizations, ensure that the OU is the one for Expired Accounts, and put an event PurgedAccount on the event bus. Identifier will be provided to the function as environment variable EXPIRED_ACCOUNTS_OU_IDENTIFIER. Note that code is not complete here, since we do not create nor start a CodeBuild project yet.
Extend python script deploy_resources.py to automate the deployment of Lambda function SignalExpiredAccount. You should create a specific python construct for that purpose, with one parameters expired_accounts_ou_identifier.
Write code for Lambda function MoveExpiredAccount in /code/move_expired_account_lambda.py. This function will receive an event PurgedAccount, extract the account id from the event itself, and move the account from the OU Expired Accounts to the OU Assigned Accounts. Identifiers will be provided to the function as environment variables EXPIRED_ACCOUNTS_OU_IDENTIFIER and ASSIGNED_ACCOUNTS_OU_IDENTIFIER.
Extend python script deploy_resources.py to automate the deployment of Lambda function MoveExpiredAccount. You should create a specific python construct for that purpose, with two parameters expired_accounts_ou_identifier and assigned_accounts_ou_identifier.
Test the deployment by moving one AWS account to the OU Expired Accounts. Ensure that execution of SignalExpiredAccount, of MoveExpiredAccount, of SignalAssignedAccount and of MoveAssignedAccount are reported in CloudWatch logs, and that the account is moved automatically to the OU Released Accounts.
Currently Codebuild projects are deployed on ARM small. However, the Codebuild free tier provides 100 minutes every months on x86 small environment. If this is proving better value for money, code should be adjusted to better align with the Codebuild free tier. Also, buildspec templates should be adjusted accordingly. For example, different release of AWS_Nuke has to be considered.
Reference:
venv/bin/python -c "$BROWSER_PYSCRIPT" htmlcov/index.html
Start : Impossible dÔÇÖex├®cuter cette commande en raison de lÔÇÖerreur┬á: Le fichier sp├®cifi├® est introuvable.
Au caractère Ligne:1 : 1
+ Start "file:///home/bgauchon/Melexis-OracleEBS-POC/sustainable-person ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation : (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
Purpose of this enhancement is to remove dependency pymsteams
We try to keep SPA as slim as possible, and to support native web requests instead of loading external modules.
[ ] write a function to post a notification (title and subject) to Microsoft Teams
[ ] change code to use this function instead of pymsteams
[ ] remove dependency in setup.py
Reference code exist to submit notification to an incoming webhook of Teams:
When an account is assigned to a person, we want to share terms of service for the corporate resource that is provided.
There is a need to align the management of personal AWS accounts with the management of other corporate resources such as computers or smart phones.
cdk/documents.py to handle templates with frontmattertests/test_cdk_documents.py using fixtures/documents/terms-of-use.mdmake all-testsmake lintfixtures/settings/settings-with-notifications.yamltests/test_cdk_configuration.pycdk/parameters_construct.py to load notifications in SSM parameter storetests/test_cdk_parameters_construct.py with mocked SSMmake all-testsmake lintcdk/on_notification_construct.py to build DynamoDB table and related Lambdas functionstests/test_cdk_on_notification_construct.py to ensure data encryption in DynamoDBcdk/serverless_stack.py to integrate new constructtests/fixture_small_setup.pyget_notification_for_account to lambdas/settings.pymake all-testsmake lintlambdas/on_notification_handler.py to handle events related to notificationstests/test_lambda_on_integration_handler.py for integration testsmake all-testsmake lintThis is a workbook for enterprises that have thousands of AWS accounts to manage.
Learn more:
SPA by itself does not create nor terminate accounts. When a new consultant joins Reply, we use Control Tower to create an account from the Account Factory (implemented with Service Catalog). This works well with the current rate of staff arrival, but of course it will not sustain a high-rate of people on-boarding, and is prone to configuration errors.
Therefore the need to provide, aside SPA itself, workbooks and code that control the creation and termination of thousands of AWS accounts. Current thinking is limit code dept by leveraging existing solution.
.md in the workbooks directoryEven if you change the region configured on your setting.yaml, it won't use it.
It will use you region on your ~/.aws/config instead.
While this is not an urgent topic, we should not use terms such as 'master' across Reply projects. For trunk-based workflows, we should prefer to name 'main' for the trunk itself.
There is a need to review and enhance the README and the PITCHME files in order to smooth the experience of persons new tpo the project
Scenario: where a billing alert is set automatically during account preparation
Given an assigned account
When the account is prepared
Then a billing alert is set with a monthly threshold
Reference:
Cette nuit AWS m’a envoyé le message d’alerte ci-dessous. Un petit tour dans la console de billing de mon compte perso confirme un coût de plus de 1,000 USD depuis le début du mois … Après analyse, il s’avère qu’une lambda déployée il y trois jours est invoquée près de 380 fois chaque seconde. Le problème provient de la façon dont EventBridge gère les sources d’événements pour l’envoi de métrique CloudWatch, ce qui a créé une boucle d’appels infinie. L’exécution de la Lambda crée un événement qui lance la Lambda, etc. L’ensemble du stack a été détruit pour stopper le phénomène et mettre fin aux dépenses inutiles.
Quelques leçons apprises :
Les alertes de consommation et de billing sont vraiment importantes et utiles !
/!\ Le Namespace d’envoi de CloudWatch Metrics est interprété comme event Source par EventBridge – pas indiqué dans la documentation
Bonne pratique - 15 minutes après déploiement ou mise à jour de Lambda activées sur événement, il convient de monitorer le nombre global d’invocations sur la console Lambda pour détecter une boucle éventuelle – si ça monte à 115 000 invocations ou plus pour 5 minutes, il y a un problème…
Comme j’étais sur mon compte perso, personne d’autre n’a été impacté – pas de pb de service limit sur les autres comptes, ni en production – l’isolation a fonctionné
Comme nous sommes organisés dans Control Tower, les coûts de plus de 1 000 USD ont été couverts par les crédits que nous donne AWS – il n’y a pas eu de dépense réelle, heureusement
despite precautions taken, we observe extraneous 'AssignedAccount' and 'ReleasedAccount' when the solution is deployed multiple times into the same automation account.
The setup install cdk v2.0.0 but we have 2.13 available and already set up for other projects ; resulting in downgrading existing install and breaking other cdk stacks as installing in another path and taking precedence in systems paths
stack cdk version:
/usr/local/bin/cdk --version
2.0.0-rc.33 (build 336ff5e)
On other stacks for example Melexis
npm install -g aws-cdk@latest
Install cdk in /usr/bin
/usr/bin/cdk --version
2.13.0 (build b0b744d)
With this ticket we rename directories that contain CDK code and Lambda code. We also rename files in the test directory to reflect the location of target python module.
The structure of the code base is not simple for newcomers to the project. Currently the directory resources contains code for CDK, and the directory code contains code for the Lambda functions. Names of test modules do not reflect if tested modules are in resources or in code. We want to streamline the experience of software engineers coming to SPA so as to accelerate their on-boarding.
code to lambdasresources to cdkmake all-teststest to reflect the origin of tested modules, e.g., test_lambda_events.pyCheckHealth to validate the state of the run-timethis lambda function would be triggered manually, or on-demand, and list in the logs every account that is not configured appropriately - this would be useful to spot accounts without appropriate tags
As per : puppeteer/puppeteer#1837 , You can make Marp presentations under WSL :/
... and so we encounter command not found error.
make setup execute this command : npm install --save-dev @marp-team/marp-cli
This install marp in ~/sustainable-personal-accounts/node_modules/.bin/marp which of course is not part of $PATH
In order to fix problem we should either :
sudo npm install -g @marp-team/marp-cliAs solution owner,
I want to get guidance on specific roles to be added to the master account
So as to be able to deploy and configure the automated solution afterwards
This is an adaptation of SPA where configuration file accepts settings per individual accounts.
Today SPA settings is structured per organizational unit. This is great for collections of accounts that are similar. However, for production accounts or for atypical accounts, there is a need for individual settings. A typical use case is for production accounts, where you want to adjust budget thresholds to individual accounts.
features/account_management.feature to document settings file and configuration optionsaccounts: in SPA settings filecode/settings.py to fetch settings for a given account, that looks OU settings if neededpurpose is to spread managed aws accounts across multiple OU. Each OU will have its own set of parameters for accounts that it contains, including:
Epic steps:
Steps for the provisioning of an AWS account:
With this issue we introduce a CodeBuild project to prepare each assigned account.
Pre-conditions:
Epic:
Add a file templates/prepare_account_buildspec.yaml that will use AWS CLI to put an event PreparedAccount. This template should use placeholder {account_identifier} that will be replaced in python with the id of the actual account that is handled by some CodeBuild project.
Modify code of Lambda function SignalAssignedAccount in /code/signal_assigned_account_lambda.py. Suppress code that is putting event PreparedAccount. Instead, add boto3 code to create a CodeBuild project using templates/prepare_account_buildspec.yaml transformed with the account id that is passed to the Lambda function. Code should also start the execution of the Codebuild project.
Run deploy_resources.py again to update lambda function, then test the deployment by moving one AWS account to the OU Assigned Accounts. Ensure that execution of Lambda function SignalAssignedAccount, of Codebuild project PrepareAccount and of Lambda function MoveAssignedAccount are reported in CloudWatch logs, and that the account is moved automatically to the OU Released Accounts. Then delete the CodeBuild project that was created by boto3 code.
Modify again the code of Lambda function SignalAssignedAccount in /code/signal_assigned_account_lambda.py. This time, you will have to add code that 1) assumes role ServiceRoleForAutomation in Management account, 2) create CodeBuild project in target account using templates/prepare_account_buildspec.yaml transformed with the account id that is passed to the Lambda function. Code should also start the execution of the Codebuild project.
Run deploy_resources.py again to update lambda function, then test the deployment by moving one AWS account to the OU Assigned Accounts. Ensure that execution of Lambda function SignalAssignedAccount, of Codebuild project PrepareAccount and of Lambda function MoveAssignedAccount are reported in CloudWatch logs, and that the account is moved automatically to the OU Released Accounts.
This Lambda function will scan organizational units and managed accounts, and tag accounts with state 'vanilla'.
The state machine is based on some tag structure. When code or settings break these tag structure, then state machines do not work anymore. Since the state of an account is contained in a tag attached to it, for such situations you can use AWS Organizations to change the state of any account. For this you would visit the page of each account and then change the tag account-state to the value vanilla. This operation is feasible for some dozens of accounts, but can become tedious for large number of accounts. Therefore the need to reset accounts to the state vanilla with a simple invocation of a Lambda function devoted to this usage.
ResetAccountsThis is a new CLI command added to the SPA project to estimate the cost of SPA deployment. When you type the command make cost-estimation this generates a CloudFormation template and passes it to the AWS CLI command estimate-template-cost. The output is a link to the AWS Calculator with cost indication for resources in the template.
Learn more:
While SPA is based on serverless AWS products and services, and very cost-effective, we need to factually estimate costs that it can incur.
The AWS CLI has a command to bridge with the AWS Cost Calculator
Makefile a new target cost-estimation with appropriate shell commandsThis is a new persistence layer for events related to SPA. We would like to persists all events captured from the bus into a store and we want to stream these changes to publishers. In addition, we will also correlate events participating to the same transaction. Initially we have two kinds of transaction:
Learn more:
The introduction of an event store into SPA is serving multiple goals:
The following is the recommended list of activities as per Behaviour-Driven Development (BDD):
features/metering.feature file to describe expected behaviour of the event storefixtures/settings/setting.yaml a parameter related to events TTL in daysmake all-tests failsresources/configuration.py to accept configurable TTL for events in daystests/test_configuration.py to validate TTL configuration inputmake all-tests passesresources/metering_construct.py with a construct Metering and an empty __init__() functionresources/serverless_stack.py and ensure that make all-tests passes correctlyresources/metering_construct.py that creates a DynamoDB table to persist events for configurable TTLcode/on_events_handler.py to code/on_events_then_store_handler.pytests/test_on_events_handler.py to tests/test_on_events_then_store_handler.pymake all-tests passestests/test_on_events_handler.py to create a lits of events for a given account and to pass it to the handlercode/on_events_then_store_handler.py to save events to the DynamoDB tablemake all-tests passes
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.