The Linux Mint official website is well documented enough and can be easily followed when installing LM. I have done this many times and the easiest way is to create a bootable USB stick with the chosen OS image you have selected. It is safe to just get the latest version and choose from Cinnamon, MATE or Xfce. You can get the list of versions from this page.

Booting from the USB stick

When you boot from the USB stick with the downloaded ISO image of Linux Mint you will get a look and feel of the OS immediately. Linux Mint is not yet installed on your computer so your hard disk is intact and untouched at this point. You would see how the desktop would look like. In the screenshot below, it is the MATE desktop of LM 22. Other desktop editions would look different. Cinnamon UI is more full but is quite heavy for old laptops. Xfce is the most lightweight but looks too old style in design.

Linux Mint 22 Desktop from the bootable USB installer

At this point, it is recommended to test your different hardware devices to see their compatibility. Common issues in Linux are audio, wifi, and bluetooth. I would advise to test these devices before proceeding with the installation. Make sure you can connect to the internet via wifi. There is a default Firefox browser installed in the OS image so you can test watching a YouTube video, for example. In this way, aside from internet connectivity you can also test the video and audio devices. Open also the bluetooth manager and check if you can connect your devices like keyboard, mouse and speakers.

Here’s a screenshot of the bluetooth manager in Linux Mint.

Linux Mint 22 bluetooth manager

Installing Linux Mint

After testing your devices and you’re happy with the results and your chosen Linux desktop, proceed with the installation. In the Desktop screen on the top left, there’s a CD icon labeled Install Linux Mint. Click that to start the installation.

A welcome screen will be displayed and this is when you start configuring your installation. Start with choosing your language and the keyboard layout.

Linux Mint 22 language selection

Linux Mint 22 keyboard layout selection

Then when asked for the multimedia codecs, install it to have a wide range of compatibility with playing videos and audios. Linux Mint 22 installing multimedia codecs

Managing the partition table

In the beginning, I mentioned that this was a full installation with the intent to wipe out my existing disk. I wanted to repartition, reformat and fully remove the Windows so my laptop would be all Linux without the dual-boot option.

The installer would detect that your disk is mounted with another OS. In my case it was the old Linux Mint 20 and Windows. I chose to unmount and repartition.

Linux Mint 22 unmount partitions message

Choosing the install type is the crucial part. This decides what will be done to your disk and its current data.

Make sure you BACKED UP your data before proceeding.

If I remember correctly, the default option is to erase and install Linux Mint as shown in this screenshot.

Linux Mint 22 install type selection

Linux Mint 22 erasing disk for a full install

However, my case was to manage my own partition so I selected the Something else option.

Linux Mint 22 managing the partitions

My disk of 512GB was partitioned in the following manner:

I prefer to separate my home folder with the system files in the root folder. If later my system files get corrupted again, I can install a new Linux in the OS partition without touching my home partition.

Currently, here’s how my partition table looks like in GParted after months of usage.

Snapshot of my partition table in GParted in Linux Mint 22

After deciding how much you want to allocate per partition, click Install Now.

A message warning will ask you to confirm that your data will be deleted and the new partition will be written. Again, check and confirm before you proceed.

Linux Mint 22 writing partition confirmation warning

Installation Continues

The Linux Mint installation will continue and ask for more configuration like your location and creating the first user with username and password.

Linux Mint 22 choosing location

Linux Mint 22 entering user details

Then the actual writing to disk happens. The OS will be installed with system files, drivers and bundled applications. This will take several minutes and a progress bar is displayed.

Linux Mint 22 installation with progress bar

You will also see the new feature highlights of the Linux Mint version your are installing.

Linux Mint 22 features on display during installation

Finally a message prompt that says the installation is complete.

Linux Mint 22 installation complete message

Restart with the newly installed Linux Mint

Click Restart Now to fully complete the installation. Remember to remove the bootable USB stick to boot from your newly formatted hard drive with Linux Mint installed.

Install the rclone client

First, install the rclone client.

1
sudo apt install rclone

You can also download and install direct from the rclone site.

Create a developer app in Google Cloud

Next, you need to create a developer app in Google Cloud. In this app, you will create and configure API keys, consent form, scopes of access and other details to basically tell your users, in this case just you, that you are allowing this app to access your Drive and your files. The point of the app is to be able to create API tokens that you can then configure in rclone so that it can access your Google Drive.

Enable the Google Drive API

1. Login to the Google API Console.
2. In the left hand navigation menu under Products select APIs & Services - Enabled APIs and Services.
3. There is a tab labeled ”+ Enable APIs and Services”. Click it and search for the Google Drive API and enable it.

Create a Consent Screen

1. Go to OAuth Consent Screen in the left hand panel.
2. Click Get Started and add an app name e.g. rclone.
3. In the support email, enter your email address.
4. Then choose External in the Audience.
5. Add another contact email and click Finish.

Create an OAuth Client

1. In Clients create an OAuth 2.0 Client IDs.
2. Choose Desktop app as the type.
3. Name your client e.g. my-rclone-desktop.
4. A pop-up will show the Client ID and Client Secret. Make a copy of them and save them somewhere else. These are the credentials you will use in rlcone config.

More details and references here.

Configure Google Drive in rclone

In rclone config choose Google Drive as the type of storage. Then follow the steps. It will ask you to use the web browser to authenticate. From there you will see the consent and the credentials will be used and configured.

Refer to this sample.

Test the connectivity

Now let’s test the connectivity with some basic rclone commands.

1. Make a folder linuxmint in the home directory to store the backup files.

   1
    rclone mkdir gdrive:/linuxmint
   

2. Create a dummy test file and upload in the backup folder.

   1
   2
    echo "testing google drive in rclone" > /tmp/my-notes.txt
    rclone copy /tmp/my-notes.txt gdrive:/linuxmint/
   

3. Verify the backup folder contents.

   1
   2
   3
   4
    rclone ls gdrive:/linuxmint
    rclone copyto gdrive:/linuxmint/my-notes.txt /tmp/my-notes-copy.txt
    diff /tmp/my-notes.txt /tmp/my-notes-copy.txt
    cat /tmp/my-notes.txt /tmp/my-notes-copy.txt
   

   Sample output:

   1
   2
   3
   4
   5
   6
   7
   8
    rclone ls gdrive:/linuxmint
    $ rclone ls gdrive:/linuxmint
       31 my-notes.txt
    $ rclone copyto gdrive:/linuxmint/my-notes.txt /tmp/my-notes-copy.txt
    $ diff /tmp/my-notes.txt /tmp/my-notes-copy.txt
    $ cat /tmp/my-notes.txt /tmp/my-notes-copy.txt
    testing google drive in rclone
    testing google drive in rclone
   

For reference, here’s a list of rclone commands.

1
2
mkdir my-simple-app
cd my-simple-app

Install

1
2
npx create-expo-app@latest .
npm run reset-project

https://www.nativewind.dev/docs/getting-started/installation

1
2
npm install nativewind tailwindcss react-native-reanimated react-native-safe-area-context
npx tailwindcss init

1
2
3
4
5
6
7
8
9
/** @type {import('tailwindcss').Config} */
module.exports = {
  content: ["./app/**/*.{js,jsx,ts,tsx}", "./components/**/*.{js,jsx,ts,tsx}"],
  presets: [require("nativewind/preset")],
  theme: {
    extend: {},
  },
  plugins: [],
}

Add globals.css in app folder.

1
2
3
@tailwind base;
@tailwind components;
@tailwind utilities;

Add babel.config.js in the project folder.

1
2
3
4
5
6
7
8
9
module.exports = function (api) {
  api.cache(true);
  return {
    presets: [
      ["babel-preset-expo", { jsxImportSource: "nativewind" }],
      "nativewind/babel",
    ],
  };
};

Add metro.config.js. Make sure the input points to the globals.css location.

1
npx expo customize metro.config.js

1
2
3
4
5
6
const { getDefaultConfig } = require("expo/metro-config");
const { withNativeWind } = require('nativewind/metro');
 
const config = getDefaultConfig(__dirname)
 
module.exports = withNativeWind(config, { input: './app/globals.css' })

Download the Expo app

Run

1
npx expo start

Recently, I have been “vibe coding” with Gemini CLI and have released a side-project to production with its help (or it released the project with my help?). Throughout the process, I realized that I used AI in an already bootstrapped project with my preferred stack and framework. In this post, I want to try starting from scratch and will share my experience on how to bootstrap an empty project with Gemini CLI.

I have also recorded this build process and you can watch it here.

Add context in GEMINI.md

First, let’s write the context in the GEMINI.md file. This will guide the AI on what we want to build. It contains the steps necessary to create a new project in React Typescript, installs the dependenies, setup Tailwind CSS version 4, clean-up the default CSS, and create a new landing page with a message. By giving such context, you have more control on what Gemini will do in building the project.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# GEMINI

## Bootstrap a React Typescript app with Tailwind v4
### Create a new React TS project
1. Create the project

    ```
    npm create vite@latest [app-name] -- --template react-ts
    ```

1. Go to the project folder and install dependencies.

    ```
    cd [app-name]
    npm install
    ```

### Add Tailwind v4 in the project
1. Install Tailwind CSS for Vite. Make sure you are in the project folder.

    ```
    npm install tailwindcss @tailwindcss/vite
    ```

1. Edit `vite.config.ts`.

    1. Add `tailwindcss/vite` in the imports section.

        ```
        import tailwindcss from '@tailwindcss/vite'
        ```

    1. Add Tailwind CSS in the plugins section. If there are other plugins defined, do not remove them. Just append `tailwindcss()` at the end.

        ```
        export default defineConfig({
        plugins: [
            tailwindcss(),
        ],
        })
        ```

1. Clear the default CSS files.
    1. Delete App.css and index.css

    ```
    rm src/App.css
    rm src/index.css
    ```

    1. Create a new index.css.

    ```
    touch src/index.css
    ```

    1. Edit `src/index.css` and add the Tailwind CSS import.

    ```
    @import "tailwindcss";
    ```

1. Refer to the Tailwind installation using Vite [doc](https://tailwindcss.com/docs/installation/using-vite) for details.

Run Gemini CLI in an empty folder

Create an empty folder and save the GEMINI.md file in it.

1
2
3
mkdir bootstrap-react-ts-twind
cd bootstrap-react-ts-twind
touch GEMINI.md #update this file

1
npx https://github.com/google-gemini/gemini-cli

Gemini CLI console

Prompt Gemini

With the Gemini CLI running, give it the instructions to start your project.

1
2
3
4
5
6
7
8
9
10
Create a web app called my-app that displays the following in the landing page.

"Welcome to my React Typescript app built by Gemini CLI."

Use Vite and Tailwind.
Install Tailwind CSS in the project.
Clean the default CSS files and use Tailwind CSS.
Use Tailwind to design the styles of the landing page and make it appealing. 

Follow the steps at @GEMINI.md

Somehow I had to explicitly mention in the prompt to follow the GEMINI.md document.

When you type @ in Gemini CLI, it adds context to the prompt by referencing a file. See /help for details and other commands.

Gemini CLI building process

As Gemini runs and sets up your project, it will prompt you everytime it needs to execute a command. Review it and accept to proceed.

In this screenshot, it asks to execute the project creation using Vite and the React TS template. This is basically following the document we created which is correct.

Gemini CLI execution prompt

Gemini Pro limit

Once in a while, you might hit a limit using the Gemini Pro 2.5 model. It will force you to use a smaller but faster model in Gemini 2.5 Flash. Just retry the prompt if this happens.

Gemini CLI execution prompt

Test the React app

After Gemini completes, run the app locally.

1
npm run dev

Check the landing page at http://localhost:5173/.

It worked! It’s pretty cool to see a working project setup without wrinting any code.

Now your mileage may vary as AI can be unpredictable at times. Retry if that happens. But with a clear context guide, the outcome can be more deterministic.

Gemini CLI React landing page

Verify the project contents

Now, let’s verify the contents of the project whether it followed the steps properly.

Dependencies were installed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ npm list
my-app@0.0.0 bootstrap-react-ts-twind/my-app
├── @eslint/js@9.31.0
├── @tailwindcss/vite@4.1.11
├── @types/react-dom@19.1.6
├── @types/react@19.1.8
├── @vitejs/plugin-react@4.7.0
├── eslint-plugin-react-hooks@5.2.0
├── eslint-plugin-react-refresh@0.4.20
├── eslint@9.31.0
├── globals@16.3.0
├── react-dom@19.1.0
├── react@19.1.0
├── tailwindcss@4.1.11
├── typescript-eslint@8.38.0
├── typescript@5.8.3
└── vite@7.0.5

The Vite config was updated.

1
2
3
4
5
6
7
8
9
$ cat vite.config.ts 
import { defineConfig } from 'vite'
import react from '@vitejs/plugin-react'
import tailwindcss from '@tailwindcss/vite'

// https://vite.dev/config/
export default defineConfig({
  plugins: [react(), tailwindcss()],
})

The default css files have been removed and a new index.css created.

1
2
3
4
$ ls src/*.css
src/index.css
$ cat src/index.css 
@import "tailwindcss";

Enhance the workflow

At this point, our setup is complete. We can just ask Gemini to spin-up new projects by just giving the project name and it creates the same steps every time following our preferred stack and framework. However, there is still a chance that it can make mistakes. It might not follow our steps and do things on its own. To make it more predictable, we just ask Gemini to automate this whole thing and create a script instead. Then the script will bootstrap the project. This also saves us AI usage especially if you use API keys in your Gemini sessions.

Generate a bootstrap script

We ask Gemini to create a Python script following our guidelines.

1
2
3
Create a Python script that follows the bootstrap steps in creating a React TS Tailwind app.

Refer to @GEMINI.md

Gemini writing Python coding process

Same as before, Gemini will prompt you again to confirm if the code is correct or at least what you expect it to write. You can review this and accept or propose other changes. Most of the time you just accept and test it out.

Gemini CLI writing Python code

Test the script

Now, we run and test the newly created script and pass the project name like my-app-3.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
$ python3 bootstrap_react_ts_tailwind.py my-app-3
Bootstrapping React TypeScript Tailwind app: my-app-3

Step 1: Creating React TS project...
STDOUT:

...(redacted for brevity)

Step 2: Installing project dependencies...
STDOUT:

added 188 packages, and audited 189 packages in 11s

...

Step 3: Installing Tailwind CSS for Vite...
STDOUT:

---

Step 4: Modifying vite.config.ts...
vite.config.ts modified successfully.

Step 5: Clearing default CSS files...
Deleted ... /my-app-3/src/App.css
Deleted ... /my-app-3/src/index.css

Step 6: Creating new src/index.css with Tailwind import...
Created and wrote to ... /my-app-3/src/index.css

Step 7: Modifying src/App.tsx for welcome message and styling...
src/App.tsx modified successfully.

Bootstrap process completed successfully!
To run your app, navigate to the 'my-app-3' directory and run 'npm run dev'

$ cd my-app-3/
$ npm run dev

> my-app-3@0.0.0 dev
> vite

  VITE v7.0.5  ready in 587 ms

  ➜  Local:   http://localhost:5173/
  ➜  Network: use --host to expose
  ➜  press h + enter to show help

Here’s the new page created by the Python script.

Gemini CLI Python generated landing page

Bug fixing

In the process while I was doing this, the first Python script generated by Gemini had a bug because it didn’t update the landing page src/App.tsx. I had to prompt it again to fix the landing page with a welcome message and use Tailwind CSS. To know more about the details of this, you can watch the video walkthrough where I recorded all the steps from beginning to end.

Conclusion

With Gemini CLI and its agentic tools, it does not just talk to you via chat but also do the execution of reading docs, writing scripts, and fixing bugs. We started with an empty folder with the idea of a workflow where we bootstrap a project from scratch with our preferred framework. Using context files like the GEMINI.md, we can guide AI to follow the steps within the context so that it builds the app according to our guidelines. This session with Gemini CLI only took 10 mins and the whole process including writing the guide is around 20 minutes. At the end, we have a working Python script that quickly builds a new React Typescript project with Tailwind CSS.

Checkout the code in Github

The code including the Python script, GEMINI.md, and the sample project generated can be found here.

A common use case we see in Generative AI applications is a chatbot solution with integration to a knowledge base like enterprise data to feed the AI additional information in responding to the chat. These knowledge bases are static data or unstructured data like documents stored in S3 where it is indexed regularly for updates to be searched by the foundation model. Patterns such as Retrieval-Augmented Generation (RAG), chunking of the documents, storage like vector databases (Amazon OpenSearch, Aurora PG, etc) are used. However, if we need to incorporate dynamic structured data like those stored in relational databases or data frequently accessed and updated, this kind of indexing pattern will not work as the updates can happen in real-time. This is where agents come in to assist the foundation model to perform tasks other than just language generation. In Amazon Bedrock, there is a Bedrock Agents feature that serves this purpose. Your Bedrock foundation model can be well integrated in your other workload such as API via Lambda functions to access your dynamic data. We will explore this pattern by showing a simple example of a Bedrock Agent accessing a Payment API through a Lambda function.

Architecture Diagram of Bedrock Agent Demo Integrating with Lambda

The demo we will build is a simple flow using the Bedrock console to test. We will just use two services - Bedrock and Lambda. In Bedrock we will create the Agent to orchestrate the flow and set the foundation model to be used. In Lambda, we will create a function that serves as the Payment API to represent the dynamic data we want to integrate.

Create a Bedrock Agent

In the Amazon Bedrock console, navigate to the Builder tools and Agents menu on the left then click the Create Agent button. Bedrock Create Agent console

It will prompt you to key in the Agent name and description. The Agent we will create will access the Payment API so we will name it as agent-payment-api. You can also accept the generated default name for quick prototyping if you just want to test it out.

Enter the Agent name and description

Next, you will be in the Agent builder page where you can put in more details to the Agent like API schema, permissions and prompts. This will be our main page when editing, saving the configuration and testing the Agent. You can always refer back to this page when you get lost in the console which happened to me at first when figuring out how to navigate the UI.

Just below the Agent name is the setting for the service role, choose the default setting which is to create a new service role for this Agent. A service role defines the permissions of what this Agent can do against your other AWS resources. Create a new service role for the Agent

Select the Foundation Model and Prompt

Then select the model. The model you choose will be the model used by the Agent when handling tasks. In our case, we will use the Anthropic Claude 3 Haiku model.

Make sure that your AWS account has access to at least one foundation model. You can refer back to the navigation on the left under Bedrock Configurations - Model access. Request for access if you don’t have access to any available model.

Next is probably the most important setting for the Agent which is providing instructions to it. This is essentially prompting the model on what to do to perform its task well. The more specific and clear the instructions we give, the better results we will have. You can experiment on this to achieve a better result. Also look at the specific foundation model documentation you are using on how to optimize the prompt.

Select the foundation model and provide a detailed instruction

Let’s try with an instruction that tells the Agent its role, its objective, and guide it on what it needs to do when given a few parameters so it knows how to process them, which API to invoke, and what it needs to do with the response payload. Since our backend API is a Payment API, we will tell the Agent to act like a financial manager that manages payment transactions of customers. We will give it an objective so it knows what will be its output and what are the available actions it can do. Then, we list down the different actions. For simplicity, we only have the retrieval part of the API, so we define it by adding some description on what the Agent needs to do when asked to retrieve a transaction given a transaction ID. Yes, it is quite specific so that we can have a more predictable result. Simply put, we are telling the Agent that if someone asks it to get the details of a payment transaction given its ID, it needs to look for a retrieve or get payment API, invoke it, and summarize the results based on the data it gets from the response.

The following is the full text of the instructions. Again, you can experiment and tweak this prompt to suit your APIs. It all depends on your objectives for creating the Agent in the first place.

1
2
3
4
5
6
7
8
9
10
11
12
13
Role: You are a financial manager responsible to managing the payment transactions of your customers.

Objective: Assist in payment transaction analysis by creating, updating, retrieving and deleting their payment transactions.

Payment Transaction Creation:

Payment Transaction Update:

Payment Transaction Retrieval:

Retrieve Payment Transaction: When a payment transaction id is provided, retrieve the payment transaction and provide a summary.

Payment Transaction Deletion:

Define the API actions

Our next step is to define the actions the Agent can perform. In the Action groups section click Add to create a new action group. Let’s call it action-group-payment-transactions.

Create Action Group

In the Action group type choose Define with API Schemas. With this option, we will specify a Lambda function that hosts our Payment API.

Scroll down to the Action group schema section and select Define via in-line schema editor. In the text box that follows, paste the OpenAPI schema of our Payment API. The full JSON format can be found in the GitHub source here.

Define the API schema using OpenAPI format

The point of providing the schema is to give the Agent as much information about the APIs, what paths are available, what are the parameters required, their data types, the response parameters, etc. The foundation model during its orchestration, analyzes the available actions and its corresponding invocations based on the configurations we set here.

If you look at the schema, it tells about the paths available. To get a payment transaction by ID, the Agent must construct an API call using the path /getTransaction, method post, and provide a query parameter transactionId of type int. Internally, that’s what the Agent does with the help of the foundation model to figure these things out. It acts like a client invoking your Payment API.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
    "paths": {
      "/getTransaction/": {
        "post": {
          "description": "Get payment transaction by id",
          "parameters": [
            {
              "name": "transactionId",
              "in": "query",
              "description": "Payment transaction identifier",
              "required": true,
              "schema": {
                "type": "integer",
                "format": "int32"
              }
            }
          ],

OpenAPI schema snippet of the get transaction request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    "components": {
      "schemas": {
        "PaymentTransactionData": {
          "type": "object",
          "description": "Single payment transaction data",
          "properties": {
            "transactionId": {
              "type": "integer",
              "description": "Payment transaction identifier"
            },
            "amount": {
              "type": "number",
              "description": "Price of the payment transaction"
            },
            "product": {
              "type": "string",
              "description": "Description of the product purchased for this payment transaction"
            },
            "quantity": {
              "type": "number",
              "description": "Number of items purchased in this payment transaction"
            },
            "date": {
              "type": "string",
              "description": "Date of this payment transaction"
            }
          }
        }
      }
    }
  }

OpenAPI schema snippet of the Payment Transaction Data

In terms of response, it receives a PaymentTransactionData payload with fields transactionId, amount, product, quantity and date and their respective descriptions. By making the schema very descriptive, it helps the Agent understand your data and creates a meaningful response.

Build the Lambda function API

The next step is quite straightforward which is to create the API that accesses the dynamic data. In the Action group invocation, choose the Select an existing Lambda function.

Select the Lambda function to invoke for this action group

We don’t have the Lambda function yet so open the Lambda console in a new tab. In the Lambda console, click Create function.

Create the Lambda function hosting the Payment API

We will create the function from scratch. Use the name payment-transaction-api. Select Python 3.11 as the runtime and arm64 as the architecture. Click Create function.

In the code section, paste the full source code of the Lambda handler in the lambda_function.py file. Then click Deploy.

Paste the code of the Payment API

We will not be using a database source to retrieve the dynamic data. The data we will use for testing is hard coded in the Lambda function itself.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
payment_transactions = [
    {"transactionId": 1, "amount": 2.00, "product": "coffee", "quantity": 1, "date": "10-03-2024"},
    {"transactionId": 2, "amount": 1.50, "product": "tea", "quantity": 3, "date": "11-03-2024"},
    {"transactionId": 3, "amount": 3.00, "product": "biscuits", "quantity": 1, "date": "11-03-2024"},
    {"transactionId": 4, "amount": 6.00, "product": "chips", "quantity": 2, "date": "03-04-2024"},
    {"transactionId": 5, "amount": 15.00, "product": "cake", "quantity": 1, "date": "12-04-2024"},
    {"transactionId": 6, "amount": 6.00, "product": "cookies", "quantity": 3, "date": "19-04-2024"},
    {"transactionId": 7, "amount": 17.00, "product": "pizza", "quantity": 1, "date": "30-04-2024"},
    {"transactionId": 8, "amount": 12.00, "product": "sandwich", "quantity": 1, "date": "01-05-2024"},
    {"transactionId": 9, "amount": 22.00, "product": "burger", "quantity": 1, "date": "03-05-2024"},
    {"transactionId": 10, "amount": 10.00, "product": "fries", "quantity": 2, "date": "04-05-2024"},
    {"transactionId": 11, "amount": 9.50, "product": "noodles", "quantity": 1, "date": "10-05-2024"},
    {"transactionId": 12, "amount": 16.80, "product": "pasta", "quantity": 4, "date": "14-05-2024"}
]

Test data of payment transactions

Fun fact: I also used GenAI to generate these dummy data with the help of Amazon CodeWhisperer enabled in my IDE.

Let’s walk through the Python code. It’s pretty much a standard Python Lambda function code with the lambda_handler as the entry point. However, your handler must be able to follow the request and response payload format the Bedrock Agent will send and receive, respectively. There’s an input event from Amazon Bedrock that serves as the Lambda input. You can find more details here. In our Payment API, the key parameters we need are the apiPath to determine which operation to process, and the transactionId in the parameters array. Then in constructing the response include the body in the responseBody field. Our example is simple so we only need these, but you can also explore the other parameters like contextual attributes to pass across sessions and prompts such as sessionAttributes and promptSessionAttributes.

Before you proceed back to the Bedrock console, make sure you have deployed the Lambda function. Click Deploy in the code tab.

Remember the full source code is available in GitHub here.

Now that we have created and deployed the Lambda function, go back to the Bedrock console. In the Action group invocation section select the Lambda function payment-transaction-api. If you can’t find it, click the refresh icon to refresh the list.

Select the payment-transaction-api function

Finally, at the bottom of the Action group details page, click Save and exit. You will return to the Agent builder page, click Save there as well. A prompt will tell you to prepare the Agent so that its details are up to date.

Prompt to prepare the Agent to keep it up to date before testing

On the right there’s a Test agent pane, click the Prepare button to update the Agent.

Prepare the Agent in the Test console

Test the Agent

In the Test console, try asking the agent with a prompt like “Give me a summary of the payment details in transaction id 3.”.

Test Agent with permission error

You will see an error that says Access denied when invoking the Lambda function…. Right, we didn’t give permission for the Agent to invoke our Lambda function.

Setup the Agent permissions to invoke Lambda

One of the usual errors you will face when integrating different services in AWS is access permissions. Here we are integrating our Lambda function with the Bedrock Agent. One way to do this is to update the Lambda function’s Resource Policy to allow the Agent access to it. You can also refer to the documentation here.

Go back to the Lambda console and edit the payment-transaction-api function. Go to the Configurations tab, click Permissions on the left menu.

Lambda Permissions under the Configurations tab

Find the Resource-based policy statements section and click Add permissions. Add a Resource Based permission in Lambda

Add a new policy in the Lambda function to allow the service bedrock.amazonaws.com as the Principal and the specific Bedrock Agent as the Source Arn. You need to grab the ARN of the Agent we just created. Go back to the Bedrock Console, under Agents open the agent-payment-api and in the Agent Overview section you will see the Agent ARN. Its format is something like arn:aws:bedrock:[region]:[accountId]:agent/[agent-id]. Then in the Action field choose lambda:InvokeFunction. Click Save.

Edit the Lambda policy to allow the Bedrock Agent

Test the Agent again with the right permissions

So let’s test again the Agent in the Bedrock Console and this time it has the proper permissions to access the Lambda function.

Let’s try asking in the prompt.

Give me a summary of the payment details in transaction id 3.

Test Prompt 1 - Payment details of Transaction Id 3

Refer back to our test data to verify. Looks like it was able to retrieve one biscuit at $3 which is the right information for the transaction ID 3.

This time let’s try asking just for the product purchased.

What product was purchased in transaction id 10?

Test Prompt 2 - What product was purchased in Transaction Id 10

Fries is correct.

How about asking for multiple transactions?

List the products purchased for transaction ids 1, 2 and 3?

Test Prompt 3 - List products purchased for transaction IDs 1, 2, and 3

Great! It was able to invoke multiple times the API.

If you notice there’s a Show trace option in the console. You can click that to see the flow of orchestration of the Agent. What payload it uses to invoke the Lambda function, how many times it invokes it, etc. It is also useful when troubleshooting.

Show trace to see the steps of the Agent orchestration

Pricing

In terms of pricing, the Bedrock Agent itself does not incur additional cost. You are only charged for the models used which in our case is the Claude Haiku 3.

When using Amazon Bedrock Agents and Amazon Bedrock Knowledge Bases, you are only charged for the models and the vector databases you use with these capabilities.

Refer also to the Bedrock Pricing and the Lambda Pricing.

Clean up

Make sure to clean up the resources to avoid further costs. Delete the Lambda function payment-transaction-api. Then delete the Agent agent-payment-api.

Next steps

In this demo we only tried one operation which is retrieval of dynamic data. You can try to expand this example and add the other API operations such as create, delete and update of the payment transactions. Make sure to define them well in the schema including the required parameters so the Agent will know which operation to choose during its orchestration of prompts from the user. You can also try being creative in the prompts and see how the Agent handles the API invocation.

Summary

In using Bedrock Agents, we can enrich our GenAI applications with dynamic content in real-time that can only be accessed programmatically through APIs. Agents can be easily created in the console by providing clear and specific instructions and a defined API schema to point it to the right Lambda functions. Also make sure that the right permissions are created to make the integration successful. With the Lambda function interaction with Bedrock through the Bedrock Agent, our AI assistant can have a wide range of possibilities. Imagine executing other external APIs, integrating with other systems, and letting the Agent do multiple stages of actions. Your foundation model can now interact with your APIs and dynamic data through these agents and make your GenAI applications do tasks for you.

A common requirement of customers especially those in highly regulated industries like banks or healthcare when building their application in the cloud is to deploy it in an isolated environment or no internet access. This is to add extra protection to their workload and prevent its data from leaking out. In AWS, this is done by deploying in isolated subnets that have no Internet Gateways attached to the VPC or no proxies that connect to the internet. If your workload needs access to the AWS services you will then need to add the respective VPC Endpoints or AWS PrivateLink.

Adding the AWS PrivateLink is all good if you know what service endpoints you need to add but if an AWS service, for example Amazon EKS requires dependencies on other services that you are not aware of, then access to those services will be blocked until you add their VPC endpoints thus causing a cluster creation to fail.

Another obstacle is that when you use an IaC like the AWS Cloud Development Kit or CDK to build your infrastructure, its Constructs sometimes abstract the underlying implementations and you are not aware of what other AWS services they use. In this post, I will list down the services that need VPC endpoints when creating an EKS private cluster in isolated subnets using AWS CDK.

Architecture Overview

Architecture diagram of a private Kubernetes cluster in EKS on isolated subnets with the required VPC endpoints

EKS Private Cluster Creation

An EKS cluster is a Kubernetes cluster managed by AWS. When you use CDK to create the cluster, you can use constructs such as Cluster which is part of the package software.amazon.awscdk.services.eks in the Amazon EKS Construct Library in Java. Other languages are also supported, refer to the CDK documentation. To build the cluster, you call the class method Cluster.Builder.create(). followed by a bunch of configuration methods. Here’s an example.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
private void createEksCluster(Role clusterAdmin) {
    this.cluster =
        Cluster.Builder.create(this, "eks")
            .vpc(vpc)
            .version(KubernetesVersion.V1_28)
            .vpcSubnets(
                List.of(SubnetSelection.builder().subnetType(SubnetType.PRIVATE_ISOLATED).build()))
            .endpointAccess(EndpointAccess.PRIVATE)
            .clusterName("eks-private")
            .kubectlLayer(new KubectlLayer(this, "kubectl-layer"))
            .defaultCapacity(0)
            .mastersRole(clusterAdmin)
            .placeClusterHandlerInVpc(true)
            .clusterHandlerEnvironment(Map.of("AWS_STS_REGIONAL_ENDPOINTS", "regional"))
            .kubectlEnvironment(Map.of("AWS_STS_REGIONAL_ENDPOINTS", "regional"))
            .outputClusterName(true)
            .outputConfigCommand(true)
            .outputMastersRoleArn(true)
            .build();

The full code in Java CDK is available in GitHub aws-samples.

If you look closely on the configurations, we are creating private isolated subnets and the Kubernetes access endpoint as private with the method calls to .subnetType(SubnetType.PRIVATE_ISOLATED) and .endpointAccess(EndpointAccess.PRIVATE), respectively. This ensures that the Kubernetes cluster has no internet access.

VPC Endpoint Dependencies

Now, the CDK construct will call other AWS services and assumes they are accessible. But since we told CDK to create it in private isolated subnets, you need to ensure that the respective VPC endpoints are created to provide access to these other services.

When creating a VPC endpoint you specify the service name. An EKS cluster obviously requires access to the EKS service which has the service name com.amazonaws.[region].eks where region is the AWS Region where it is deployed for example com.amazonaws.ap-southeast-1.eks. Amazon ECR is also needed. That is where the container images are pulled from. The ECR endpoint service name is com.amazonaws.[region].ecr.api and com.amazonaws.[region].ecr.dkr. These services including CDK also use Amazon S3 so an endpoint to it must be created. For S3 it is com.amazonaws.[region].s3.

When the EKS cluster scales, it creates or terminates EC2 worker node instances. This means it needs access to the EC2 service so we need to add com.amazonaws.[region].ec2. In our example, we also need EC2 to run the kubectl client. EKS also needs the AWS Security Token Service to manage the authentication of Kubernetes users, pods and services. So we also need com.amazonaws.[region].sts. For observability, Amazon CloudWatch(https://docs.aws.amazon.com/cloudwatch/) service needs to be accessed too. This is in com.amazonaws.[region].logs and com.amazonaws.[region].monitoring endpoints.

AWS recommends using AWS Systems Manager or SSM to manage the EC2 instances or EKS worker nodes. We need three endpoints to make SSM work. These are com.amazonaws.[region].ec2messages, com.amazonaws.[region].ssm and com.amazonaws.[region].ssmmessages. You can refer here for details on how these endpoints are used by SSM.

Lastly, CDK and its constructs use AWS Lambda cluster handler functions and AWS Step Functions to manage the creation and monitoring of the EKS cluster so VPC endpoints to these services are also required. For Lambda it is com.amazonaws.[region].lambda and for Step Functions you need com.amazonaws.[region].states and com.amazonaws.[region].sync-states.

List of VPC Endpoints

The following is a list of VPC endpoints required to create an EKS cluster in isolated subnets using CDK. For the full service names, append each endpoint with com.amazonaws.[region]..

1. S3 - s3
2. ECR - ecr.api, ecr.dkr
3. EC2 - ec2
4. EKS - eks
5. Security Token Service - sts
6. Cloudwatch - logs, monitoring
7. Systems Manager - ec2messages, ssm, ssmmessages
8. Lambda - lambda
9. Step Functions - states, sync-states

For reference, here’s the full list of AWS PrivateLink endpoint service names.

Once you have created all the above mentioned endpoints in your isolated subnets, you can try the CDK Construct to build the EKS Cluster. I have pushed the example and the full code on GitHub and is available in the aws-samples repository. Please refer to the README page that has the step-by-step approach to deploy and test the cluster.

This example is also referenced in the official AWS CDK documentation on how to create an EKS cluster in isolated subnets under the Amazon EKS Construct Library. Search for the keyword Isolated where a note is created to refer to our example.

In digikam there is a setting to adjust the date and time but it does not seem to edit the video metadata itself. I’m using digikam version 8.0.0 on Linux Mint 20. It does update only locally in digikam. If you upload your videos to other software or to the cloud, the original incorrect timestamp is retained. So here are some commands to use in exiftool to modify the metadata directly on the video file.

Check all the available metadata with date in its name

exiftool myvideo.mp4 | grep -i date

Sample output

1
2
3
4
5
6
7
8
9
10
11
File Modification Date/Time     : 2024:01:02 18:47:47+08:00
File Access Date/Time           : 2024:01:02 18:47:45+08:00
File Inode Change Date/Time     : 2024:01:02 18:47:58+08:00
Create Date                     : 2023:06:17 03:30:04
Modify Date                     : 2023:06:17 03:30:04
Track Create Date               : 2023:06:17 03:30:04
Track Modify Date               : 2023:06:17 03:30:04
Media Create Date               : 2023:06:17 03:30:04
Media Modify Date               : 2023:06:17 03:30:04
Last Update                     : 2023:06:17 11:30:04+08:00
Creation Date Value             : 2023:06:17 11:30:04+08:00

If there’s one metadata field that has the correct timestamp based on how you know when the video was taken or based on the generated thumbnail photo of that video, then use that field to copy to the other timestamp fields. In Sony a7c, the Creation Date Value seems to be the correct field, so we use that to copy over its value to the other timestmap fields. The fields to update are the Create Date, Modify Date, Track Create Date, Track Modify Date, Media Create Date, and Media Modify Date.

To update all timestamp metadata of all mp4 files in the current directory to use the Creation Date Value

1
exiftool '-mediacreatedate<creationdatevalue' '-mediamodifydate<creationdatevalue' '-createdate<creationdatevalue' '-modifydate<creationdatevalue' '-trackcreatedate<creationdatevalue' '-trackmodifydate<creationdatevalue' -ext mp4 .

In the exiftool command above, the less than sign means it will copy over the value of the field on the right to the field on the left. The dash - indicates the field to use and the -ext means the extension file to update. Then the . of course refers to the current directory.

Lastly, exiftool generates a backup with _original suffix. After you’ve verified the metadata update, you can delete this backup with the -delete_original option.

To delete the _original copies

1
exiftool -delete_original -ext mp4 .

Learn more about exiftool here.

Another security compromise that you have to make, and the more critical one, is that you need set your S3 bucket publicly readable. By default, this is not recommended by AWS. More and more security breaches are happening due to wrongly configured permissions of S3 buckets.

So how do we solve this? Use CloudFront with Object Access Identity or (OAI).

CloudFront is the AWS CDN solution where you can target your private S3 bucket as the origin using OAI. This will be the identity defined in your S3’s bucket policy to grant permission only to the CloudFront distribution and nobody else.

CloudFront also ensures the data in transit are in https and secure.

Here’s the overview of the set-up using CloudFront.

Architecture Overview

1. Route 53 resolves the domain name to the target CloudFront distribution. For example, in this website, code.eidorian.com is registered in Route 53 and it resolves it to the target alias d123456.cloudfront.com which is the CloudFront distribution.
2. The user’s browser downloads the website’s CloudFront distribution. If there’s a cache hit, the distribution returns the object immediately.
3. The SSL certificate is managed in Amazon ACM and configured in CloudFront during the creation of the distribution.
4. The CloudFront distribution is replicated across all edge locations of AWS.
5. If extra logic handling is needed, a Lambda@Edge can be deployed on the edge locations to do additional processing.
6. The private S3 bucket containing the static website is accessed by the CloudFront distribution via the granted permission given to its OAI in the S3’s bucket policy.
7. The requested object is returned to the distribution.

Pre-requisites

Before creating the CloudFront distribution, ensure that you have the following items ready.

1. An S3 bucket with the static content of the website.
2. A registered domain name.
3. An SSL certificate in AWS Certificate Manager or ACM.

Set-up the S3 bucket static content

The S3 bucket contains the website. Have something like index.html at least for testing and an error page like error.html

In my case, I am using Jekyll which is a static website generator. It has an index.html and a 404.html error page. We will be using that in this example.

Register a domain name

You can use Route 53 or some other domain name registrar to register your domain.

Create an SSL certificate in AWS Certificate Manager

If you don’t have a certificate yet, create one for your registered domain name in ACM.

Important: Create the certificate in the us-east-1 N. Virginia region. CloudFront will only see the certificates in this region.

Make sure that all the CNAMEs that you will use in CloudFront are also included in the certificate. Here I’m adding both eidorian.com and code.eidorian.com.

Then wait for the validation status to be Success.

If it’s Pending for quite a while, check the details. It may be waiting for an action from you like adding a record to Route 53.

Take note of the certificate’s ARN. You will need it later in the parameters section.

Create the CloudFront distribution using CloudFormation

Okay, so now that we have all the pre-reqs ready, let’s create the CloudFront distribution. It’s not very exciting to use the AWS console, let’s do it the CloudFormation way!

I have prepared a re-usable template below with three input Parameters. These are the three pre-requisites mentioned above - bucket name, SSL cert, and the CNAMEs.

CloudFormation Template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  BucketName:
    Description: S3 Bucket name
    Type: String
  SSLCert:
    Description: ACM certificate arn
    Type: String
  DomainNames:
    Description: Domain names or CNAMEs
    Type: CommaDelimitedList
Resources:
  WebsiteDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases: !Ref DomainNames
        Origins:
        - DomainName: !Join ['', [!Ref BucketName, '.s3.amazonaws.com']]
          Id: !Join ['', [!Ref BucketName, 'S3OriginId']]
          S3OriginConfig:
            OriginAccessIdentity: !Join ['', ['origin-access-identity/cloudfront/', !Ref CloudFrontOAI]]
        Enabled: 'true'
        Comment: !Join ['', ['CloudFront for S3 bucket ', !Ref BucketName]]
        DefaultRootObject: index.html
        CustomErrorResponses:
          - ErrorCode: 404
            ResponseCode: 200
            ResponsePagePath: /404.html
          - ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: /404.html
        DefaultCacheBehavior:
          AllowedMethods:
          - GET
          - HEAD
          TargetOriginId: !Join ['', [!Ref BucketName, 'S3OriginId']]
          ForwardedValues:
            QueryString: 'false'
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        ViewerCertificate:
          AcmCertificateArn: !Ref SSLCert
          MinimumProtocolVersion: TLSv1
          SslSupportMethod: sni-only
  CloudFrontOAI:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Join ['', [!Ref BucketName, '-origin-access-identity']]

In the Resources section, we have two types. One is the CloudFront distribution AWS::CloudFront::Distribution and the other one is the OAI AWS::CloudFront::CloudFrontOriginAccessIdentity.

AWS::CloudFront::Distribution

In the CloudFront distribution resource, we map the parameter values to the distribution properties.

1. The Aliases property sets the CNAMEs of the distribution. This is required later when setting the Route53 record to target the distribution alias. In the DomainNames parameter, put your registered domain name including the alternate names.
2. The DomainName property is the target origin domain name of the distribution where the CloudFront will get its content. In this case, it is the S3 bucket containing the website. The CloudFormation template uses the BucketName parameter to set this property by concatenating the bucket name with the .s3.amazonaws.com suffix. This suffix is the AWS domain name for S3 buckets.
3. The AcmCertificateArn property tells CloudFront which SSL certificate to use. Here the parameter SSLCert defines this with the ARN string of the certificate in ACM.

   Double-check your cert ARN, it should be in the us-east-1 region.

4. The OriginAccessIdentity property is the key property here that tells CloudFront which ID to use when accessing the origin (the S3 bucket). There is no parameter passed to this since we do not know yet the OAI prior to the CloudFormation stack creation. To get a hold of the reference of the OAI, use the OAI Resource’s name as reference which is CloudFrontOAI and it requires a prefix of origin-access-identity/cloudfront/.

For the other properties of the distribution, you can look them up here for details. But briefly, what we configured here is that CloudFront will default to index.html in the root folder. If the S3 origin returns 404 Not Found or 403 Forbidden, CloudFront will display the error page 404.html and remap the response to HTTP 200.

For convenience, some of the properties like IDs and comments are set by the template automatically using the bucket name. For example, the Origin ID is set to {BucketName}S3OriginId. You can change this string value if you want.

AWS::CloudFront::CloudFrontOriginAccessIdentity

This is the OAI resource that creates the Origin Access Identity with the name CloudFrontOAI. It simply creates the OAI and assigns a comment for description purpose.

If you already have an existing OAI and want to re-use it, you can just pass it’s ID as a parameter to set the OriginAccessIdentity. You won’t need the OAI resource in the template.

CloudFormation JSON property file

We can pass the parameter values to the template via command line option, AWS console, or using a property file. We will use the last one to create the CloudFormation stack.

Here’s a sample property file of the parameters and their values.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[
    {
        "ParameterKey": "BucketName",
        "ParameterValue": "code.eidorian.com"
    },
    {
        "ParameterKey": "SSLCert",
        "ParameterValue": "arn:aws:acm:us-east-1:youraccount:certificate/11111111-1111-1111-1111-111111111111"
    },
    {
        "ParameterKey": "DomainNames",
        "ParameterValue": "eidorian.com,code.eidorian.com"
    }
]

Executing the CloudFormation template using AWS CLI

Alright. We are all set.

Open a terminal and run the AWS CLI to create the stack.

In the sample commands, the template file name is cloudfront-s3-origin.yaml and the property file name is code-eidorian-com-properties.json

Create stack

1
2
3
aws cloudformation create-stack --stack-name cloudfront-s3-code-eidorian-com \
--template-body file://./cloudfront-s3-origin.yaml \
--parameters file://./code-eidorian-com-properties.json

Delete stack

If something goes wrong and your stack rolls back, delete the stack and re-create again.

1
aws cloudformation delete-stack --stack-name cloudfront-s3-code-eidorian-com

Update stack

If you update some of the properties in the template, simply update the stack.

1
2
3
aws cloudformation update-stack --stack-name cloudfront-s3-code-eidorian-com \
--template-body file://./cloudfront-s3-origin.yaml \
--parameters file://./code-eidorian-com-properties.json

The CloudFront distribution creation could take several minutes (~30 mins) to complete. The reason for this is it that it updates all the edge locations and distributes your website content. Even the delete and update stack could take the same amount of time.

Wait for your distribution status until it says Deployed. Then go to the distribution and verify the settings. Hopefully everything went well and your CloudFront distribution was created successfully with all the correct properties in place.

Verify the CloudFront distribution

Open your distribution and look at the tabs.

General tab

In the general tab you will see the CNAMEs you put in the Alias property, the SSL certificate ARN and a link to it, the index.html as the default root object, the sni-only in the SSL supported method, the minimum protocol TLSv1 and the comment set by the template.

Origins tab

In the origins tab is where you will find the OAI, the Origin ID we gave and the S3 origin domain name.

Behaviors tab

The DefaultCacheBehavior property values can be seen in the behaviors tab.

If you edit the behavior item, you will find more settings including the GET and HEAD methods we set in the template.

Error pages tab

Lastly, in the error pages tab, where we set the 401.html page as the default error page for errors 404 and 403 can be verified here.

Update the S3’s bucket policy

Now that the CloudFront distribution has been created and verified, there’s just one last thing you need to do before testing it out. Tell the S3 bucket to allow the OAI to access its content. Here’s the part where you update the S3 bucket’s policy and make it private allowing only the OAI arn as the Principal to access the bucket and no one else.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow-OAI-Access-To-Bucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1111111111111"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::s3bucket/*"
        }
    ]
}

Then, you can now safely make your S3 private by setting the S3 static website to disabled

and blocking all public access.

Test your new secure website

That’s all folks. Now try and hit your website using https. The browser should now say it is secure. If you try an invalid path or page, you should see the default error page. If you try going to your S3 bucket’s direct url like the index.html S3 url, the access will be denied.

Final thoughts

A lot steps here and I tried to explain as much detail as I can but hopefully this is helpful especially the re-usable CloudFormation template. I removed the Lambda@Edge part since it is optional and this is getting long. I will talk about it more on my next post. Let me know your comments below.

This is the fourth and last part of my Serverless Webhooks post. You can find Part 3 here where we built the processor application, Part 2 here where we integrated SQS and Part 1 here where we built the Lambda function handler.

Let’s review again the architecture.

Architecture

In the previous post, we already built the poc-data-processor application and tested locally. It can read the SQS poc-data-feed-queue and update the DynamoDB table poc-data-feed. Our final step is to run this application on AWS. That is we will build the Docker image, push it to ECR, deploy to an ECS container and test in on AWS.

Build the Docker image and push to ECR

Since this is a Spring Boot application, in the Dockerfile we will use the openjdk:8-jdk-alpine image.

1
2
3
4
5
FROM openjdk:8-jdk-alpine
VOLUME /tmp
ARG JAR_FILE
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/app.jar"]

Build the application

mvn clean package

Build the Docker image

mvn dockerfile:build

Tag the container to your AWS account’s ECR

docker tag adr1/poc-data-processor:latest myaccount.dkr.ecr.myregion.amazonaws.com/poc-data-processor:latest

Your image name may vary. Check your pom.xml if you have a different image prefix. Here I’m using adr1.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
    <properties>
        <docker.image.prefix>adr1</docker.image.prefix>
    </properties>
    <plugin>
        <groupId>com.spotify</groupId>
        <artifactId>dockerfile-maven-plugin</artifactId>
        <version>1.3.6</version>
        <configuration>
            <repository>${docker.image.prefix}/${project.artifactId}</repository>
            <buildArgs>
                <JAR_FILE>target/${project.build.finalName}.jar</JAR_FILE>
            </buildArgs>
        </configuration>
    </plugin>

Login to your AWS account

$(aws ecr get-login --no-include-email --region ap-southeast-1)

Push the image to your AWS account’s ECR

docker push myaccount.dkr.ecr.myregion.amazonaws.com/poc-data-processor:latest

Login to the AWS console and verify the image in the ECR.

The Docker image is now in the registry. Next is to configure ECS to run this image.

Configure ECS

In configuring the ECS container, we will create three things - a cluster, a task definition and a service.

The task definition poc-data-processor-task defines how to launch the Docker image poc-data-processor that we just pushed into the ECR. The service poc-data-processor-service manages the workload of running this task. Then the cluster poc-data-processor-cluster which we will define to use the Fargate launch type will take care of the EC2 instances to run these tasks internally.

Read more on the basics of ECS here.

Create the cluster

In ECS, go to Clusters and Create Cluster. We will use Fargate to simplify our setup without worrying much on managing the infrastructure and server details.

Name the cluster as poc-data-processor-cluster and create a new VPC for it. You can use an existing VPC but it is better to separate this PoC setup to isolate it. Later, it would be easier to clean-up too when we tear down this cluster.

Click Create and view the cluster details after creation. Here you will see the networking details that was set-up during the cluster creation like vpc, subnet, internet gateway, etc. You need not worry about these things as Fargate is supposed to take care of these things for you.

Create the task definition

Go to Task Definitions and click Create new Task Definition and choose Fargate.

Take note of the Task Role ecsTaskExecutionRole. We will modify this later to give access to DynamoDB.

For task size, 2GB memory and 1vCPU should be sufficient for our Spring Boot application.

In Container Definitions, click Add container. This is where we define our container and where to get the image. Enter here the image location in the ECR. For the memory, set at least 300MiB that is required by our application.

Leave the rest of the configuration to default. Make sure the Log configuration is ticked so we can monitor in CloudWatch our application.

In Fargate, we wont have access to login to the EC2 server to troubleshoot. So having our application log sent to CloudWatch is important.

After creating the Task Definition, go to IAM and modify the task definition’s role ecsTaskExecutionRole. Add an inline policy to the task process to be able to access DynamoDB. Remember our application needs to read and update the table poc-data-feed.

The inline policy to add is similar to the policy we gave access to our Lambda handler poc-data-feed-handler. You can refer to the first post here and copy the policy from AWSLambdaBasicExecutionRole.

Create the service

Finally, we will create the service poc-data-processor-service to manage running the task definition.

Go back the the cluster poc-data-processor-cluster. In the Services tab, click Create. Here we will specify the task definition and cluster we just created.

The Number of tasks tells Fargate how many tasks instances it will run for this service. For this PoC, we will just specify one. Later, to stop the application, we can set update the service and set this to zero.

Choose the VPC previously created for this and leave the rest to default.

Disable the features we do not need. Set the Load balancer type to None, Service Discovery to disabled, and Auto-scaling to off.

Review and create the service.

It will provision the service and launch the task. Wait for a while until its status is RUNNING.

Full test end-to-end

Similar to the previous posts, we will test this via Postman and send a sample payload.

Go to CloudWatch and Log groups and open /ecs/poc-data-processor-task.

Here you will see similar application logs we did when we tested locally in the previous post. The message is received from SQS, data payload is retrieved from DynamoDB with PENDING status, the data is processed by our task which is running the Docker image data-processor-application and updates the item status to COMPLETED.

You can also verify in DynamoDB the actual item is updated.

That’s it for our ECS setup. Our Docker data processor application is now running on the cloud.

Clean-up

Before we conclude, make sure to tear down the ECS set-up to not incur further costs.

Update the service poc-data-processor-service and change the Number of tasks to 0 (zero). This will stop the running task. After that, delete the cluster.

Summary

This completes our entire Serverless Webhook architecture in AWS. It has been a long series of posts. Hopefully we got a basic understanding of how to set-up a serverless webhook using API Gateway, Lambda, SQS, ECS, and DynamoDB. With this kind of set-up, we can have a cheap data receiver that only runs when data is available. It is easily expandable too by adding more Lambda functions to handle different data sets. If the data is large and requires longer processing time, we have a container task instance to do the heavy workload processing.

This is the third part of my Serverless Webhooks post. You can find Part 2 here where we integrated SQS and Part 1 here where we built the Lambda function handler.

This post is Part 3 of our serverless webhook system. Let’s look back at the architecture. So far we have the Lambda function handler poc-data-feed-handler as the webhook that receives the data. It then stores the raw data to the DynamoDB table poc-data-feed with the generated unique id txn_id. This unique id is also passed to a SQS message queue poc-data-feed-queue waiting to be processed.

What’s next is for us to build the poc-data-processor application to get the txn_id in the queue, get the corresponding data from the table, process and update it.

Architecture

Create the data processor application

Let’s go straight to building the application. Here we will use Java and Spring. You can choose your own stack. The approach is similar. AWS provides an array of SDKs for different programming languages.

Spring and Java code

Create a new Java project poc-data-processor. We will use Spring Boot as the framework of the application, Spring Cloud to access the SQS queue, and the AWS SDK for Java to access the Dynamo DB table.

Add the dependencies

Set the Maven dependencies as below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
	<properties>
        <spring-cloud-version>2.1.3.RELEASE</spring-cloud-version>
        <aws-java-sdk-version>1.11.699</aws-java-sdk-version>
	</properties>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-aws-context</artifactId>
                <version>${spring-cloud-version}</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-aws-messaging</artifactId>
            <version>${spring-cloud-version}</version>
        </dependency>

        <dependency>
			<groupId>org.springframework.cloud</groupId>
			<artifactId>spring-cloud-starter-aws</artifactId>
            <version>${spring-cloud-version}</version>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-web</artifactId>
		</dependency>

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>

        <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-dynamodb</artifactId>
            <version>${aws-java-sdk-version}</version>
        </dependency>

    </dependencies>

Listen to the queue

In Spring Cloud, just add the annotation @SqsListener to enable your method to listen to the SQS queue.

1
2
3
4
5
    @SqsListener("poc-data-feed-queue")
    public void dataFeedListener(String data) {
        System.out.println("message received: " + data);
        processItem(data);
    }

The method dataFeedListener will receive the SQS message body. In this case, it will be the txn_id generated by the Lambda function.

Sample log of receiving a message:

message received: e51c16cb-41d0-4fff-8de4-de32de42205e

It then invokes the method to process the data passing the txn_id as key.

Process the data

The processItem method retrieves the item from the DynamoDB table poc-data-feed. Here we will use the AWS SDK for Java directly. Spring Boot supports accessing the DynamoDB table too but I find using the AWS SDK easier and simple for this PoC.

First, setup a bean for the DynamoDB client.

1
2
3
4
5
6
7
8
    @Value("${cloud.aws.region.static}")
    private String region;

    @Bean
    public AmazonDynamoDB amazonDynamoDB() {
        AmazonDynamoDB amazonDynamoDB = AmazonDynamoDBClientBuilder.standard().withRegion(region).build();
        return amazonDynamoDB;
    }

Then add processItem, getItem and updateItem methods in the DataProcessor class.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    final static String TABLE_NAME = "poc_data_feed";

    @Autowired
    private AmazonDynamoDB dynamoDB;

    private void processItem(String txnId) {
        Map<String, AttributeValue> itemKey = new HashMap<>();
        itemKey.put("uuid", new AttributeValue(txnId));

        Map<String, AttributeValue> item = getItem(itemKey);
        System.out.println("data payload: " + item);

        Map<String, AttributeValueUpdate> updatedItem = new HashMap<>();
        updatedItem.put("status", new AttributeValueUpdate(new AttributeValue("COMPLETED"), AttributeAction.PUT));

        updateItem(itemKey, updatedItem);
        System.out.println("updated payload: " + getItem(itemKey));
    }

    private Map<String, AttributeValue> getItem(Map<String, AttributeValue> itemKey) {
        GetItemRequest request = new GetItemRequest()
                .withKey(itemKey)
                .withTableName(TABLE_NAME);
        Map<String, AttributeValue> item = dynamoDB.getItem(request).getItem();
        return item;
    }

    private void updateItem(Map<String, AttributeValue> itemKey, Map<String, AttributeValueUpdate> updatedItem) {
        dynamoDB.updateItem(TABLE_NAME, itemKey, updatedItem);
    }

In processItem, we first create the itemKey map using the txnId. We then get and update the data using this key.

The data type Map<String AttributeValue> is part of the AWS SDK for Java. It represents an item in the DynamoDB table.

In getItem, we retrieve the entire data payload on the table using the itemKey map. After getting the data, we can do the processing. In this PoC, we are simply updating the status to COMPLETED to imply that we have received the data, processed it as necessary and updated its status.

If you notice in the previous post, we have updated the Lambda function to add a new attribute status=”PENDING” for every new data it receives and stores in DynamoDB.

Then in updateItem, we passed back the itemKey and the new updatedItem to commit the changes back to the DynamoDB table.

The data type Map<String AttributeValueUpdate> is part of the AWS SDK for Java. It represents an updated item in the DynamoDB table.

That’s all that we need for the application to process the data. You can also refer to the official AWS SDK for Java documentation on how to access DynamoDB tables.

Test the application locally

Let’s run the application locally first before we containerize and deploy it to ECS. When testing locally, we have to setup the credentials to access the AWS resources. In our case, our application needs access to the SQS queue and DynamoDB table.

Check locally that you have ~/.aws/credentials already set-up. This is where your AWS access key and secret are stored. We will need it for local testing. Another option is to pass the credentials via environment variables.

Also setup the Spring Cloud property cloud.aws.credentials.useDefaultAwsCredentialsChain=true in the application.properties of the Spring Boot app. This property will tell Spring Cloud to use the AWS credential chain as defined in the SDK. Later, when we deploy this application to ECS, the chain will use the instance profile to get the credentials.

So regardless of where you put your credentials be it in the environment variables, instance profile or credential profile in ~.aws/credentials, the precedence will follow the AWS credential chain. Just ensure you do not store the credentials in your code or in your instances.

Now, build and run the app.

1
2
mvn clean package
jaa -jar target/poc-data-processor-1.0-SNAPSHOT.jar

Fire some requests using the same Postman payload as in the previous post.

Sample log of processing the data:

message received: a6e7965a-f2fb-4e76-ac26-75d2e221ea13
data payload: {referralId={S: sazed55,}, name={S: Sazed,}, emailId={S: sazed@gmail.com,}, uuid={S: a6e7965a-f2fb-4e76-ac26-75d2e221ea13,}, age={N: 50,}, status={S: PENDING,}}
updated payload: {referralId={S: sazed55,}, name={S: Sazed,}, emailId={S: sazed@gmail.com,}, uuid={S: a6e7965a-f2fb-4e76-ac26-75d2e221ea13,}, age={N: 50,}, status={S: COMPLETED,}}

Notice that when we retrieved the item, its status was PENDING and it was updated to COMPLETED after the processing.

Note that the if the processing failed for some reason, the SQS message has already been consumed. Either you modify and return back the message to the queue if the processing failed or retry the processing in the application.

That’s it for our data processing application. We’ve tested it and showed that it can consume the SQS message and update the data in the DynamoDB table.

In my next post, we will containerize this application and deploy it to ECS.

12Jan20 Update: The amazonDynamoDB bean has been modified to include the AWS Region. I have also uploaded the full source code of the poc-data-processor application on GitHub here.