Jekyll2022-12-20T18:01:25+11:00https://mike.bailey.net.au/feed.xmlMike BaileyThoughts of a MikeMike BaileyFixed! ~~Melburnians Misinformed about Lockdown Rules for Exercise~~2020-07-08T01:13:00+10:002020-07-08T01:13:00+10:00https://mike.bailey.net.au/2020/07/melburnians-misinformed-about-lockdown-rules-for-exercise<hr />
<p><strong>Update: July 17 2020</strong></p>
<p>The Victorian Govt has updated restrictions to say you cannot travel further than necessary for exercise.</p>
<p><a href="https://www.dhhs.vic.gov.au/sites/default/files/documents/202007/Stay%20at%20Home%20%28Restricted%20Areas%29%20%28No%202%29%28signed%2010%20July%29.pdf">Stay at Home Directions (Restricted Areas) (No2)</a> was released on 10 July 2020.</p>
<blockquote>
<p>(1A) A person may only leave their premises under subclause(1) where it does not involve unreasonable travel or travelling to a place for an unreasonable amount of time.</p>
<p>Note 2: unreasonable travel would include travel within the Restricted Area to exercise or outdoor recreation where that type of activity can be done closer to home. Travelling to an area outside the Restricted Area for exercise or outdoor recreation is prohibitied under these directions</p>
</blockquote>
<hr />
<p><strong>Update: July 9 2020</strong></p>
<p>I was pleased to receive a response informing me that <a href="https://www.vic.gov.au/coronavirus-covid-19-restrictions-victoria#a-return-to-stay-at-home-restrictions-for-metropolitan-melbourne-and-mitchell-shire-from-1159pm-on-wednesday-8-july-2020">www.vic.gov.au</a> has been updated to remove the ambiguity.</p>
<p>It’s great that this was addressed so promptly in what I’m sure is a very busy
time for the people involved.</p>
<hr />
<p>A page on the Victorian Government’s website has led many to believe they cannot leave their Local Government Area (LGA) for exercise.</p>
<blockquote>
<p>Additionally, there will only be 3 reasons to cross the border of these metropolitan areas:</p>
<p>Shopping for food and supplies
Medical care and caregiving
Study and work – if you can’t do it from home”</p>
<p><a href="https://www.vic.gov.au/coronavirus-covid-19-restrictions-victoria#a-return-to-stay-at-home-restrictions-for-metropolitan-melbourne-and-mitchell-shire-from-1159pm-on-wednesday-8-july-2020">www.vic.gov.au</a></p>
</blockquote>
<p>This is in contrast to advice on the Department of Health and Social Services
(DHSS) website which makes clear the new Stay At Home restrictions prevent
people leaving Greater Melbourne for exercise, but not their LGA.</p>
<blockquote>
<p><strong>I live in Melbourne - can I exercise outside with someone who is not part of my household?</strong></p>
<p>From 11:59pm on 8 July, changed gathering limits apply to the Melbourne
metropolitan area and the Shire of Mitchell. If you live in this area, you are
only allowed to exercise outside with one other person, or members of your
household.</p>
<p>In order to help stop the spread of coronavirus (COVID-19) across the state,
you cannot leave metropolitan Melbourne or Mitchell Shire to exercise.</p>
<p>While exercising outside you should keep 1.5 metres distance between yourself
and others and avoid sharing equipment.</p>
<p><a href="https://www.dhhs.vic.gov.au/updated-restrictions-1159pm-wednesday-8-july">www.dhhs.vic.gov.au</a></p>
</blockquote>
<p>Further down the page the DHSS makes clear you can leave your LGA as long as
you don’t leave the Melbourne metro area:</p>
<blockquote>
<p><strong>I live in Melbourne. Can I visit the beach?</strong></p>
<p>Yes. As long as it is for the purpose of exercise and within the Melbourne
metropolitan area. You are only allowed to exercise outside with one other
person, or members of your household.</p>
<p>While exercising outside you should keep 1.5 metres distance between yourself
and others and avoid sharing equipment.</p>
<p>In order to help stop the spread of coronavirus (COVID-19) across the state,
you cannot leave metropolitan Melbourne or the Shire of Mitchell to
exercise.”</p>
<p><a href="https://www.dhhs.vic.gov.au/updated-restrictions-1159pm-wednesday-8-july">www.dhhs.vic.gov.au</a></p>
</blockquote>
<p>This is an important distinction for many Melburnians but particularly for
those <strong>living alone without family/friends in their LGA</strong>. Six weeks
without seeing a friend or loved one in person could seriously exacerbate an
already challenging time in isolation.</p>
<p>I’ve already spoken with a couple of people who are convinced they cannot leave
their LGA for exercise based on the wording on www.vic.gov.au. I’m convinced that
there has been a misunderstanding and that DHSS is the more credible source in
this instance.</p>
<p>I’ve submitted a request through
<a href="https://www.vic.gov.au/contact-us">https://www.vic.gov.au/contact-us</a> to ask
that they update the wording on their page to make clear that we are not
prevented from crossing LGA boundaries for exercise within Melbourne Metro
area.</p>
<p>The public deserve clarity on the Stay at Home restrictions being applied to
them. Every effort should be made by government to ensure information provided
is correct and able to be understood. If and when mistakes are detected, they
should be corrected promptly because misinformation spreads like a virus.</p>mbaileyRight-sizing your AWS Lambdas2019-05-09T00:00:00+10:002019-05-09T00:00:00+10:00https://mike.bailey.net.au/2019/05/right-sizing-your-aws-lambdas<p>I was recently able to reduce the cost of one of our serverless applications
by more than half by reducing the memory allocated to the lambdas.</p>
<p>Possible reasons we didn’t do this earlier:</p>
<ul>
<li>initial cost was low but increased later as traffic increased</li>
<li>team didn’t have knowledge/confidence to set lower threshold</li>
<li>we weren’t monitoring/alerting on memory usage</li>
</ul>
<h2 id="aws-lambda-pricing">AWS Lambda Pricing</h2>
<blockquote>
<p>AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.</p>
<ul>
<li>https://aws.amazon.com/lambda/</li>
</ul>
</blockquote>
<p>Lambda is charged based on number and duration of requests (<a href="https://aws.amazon.com/lambda/pricing/">AWS
Pricing</a>). Duration is measured in GB-seconds which is why it’s
possible to reduce your cost by reducing the maximum memory provided to you
lambdas.</p>
<p>You specify an amount between 128 MB and 3,008 MB in 64 MB increments. Lambda
allocates CPU power linearly in proportion to the amount of memory configured.
At 1,792 MB, a function has the equivalent of 1 full vCPU (one vCPU-second of
credits per second).</p>
<p>There are situations where provisioning far more memory than will be used is a
good choice. If the function is CPU bound (as opposed to waiting on responses
from the network) then increasing CPU will reduce duration, improving
performance without negatively impacting on cost.</p>
<p>The risk when setting memory for a Lambda is that execution halts immediately
if the function runs out of memory. Changes to the function over time may alter
it’s memory usage so we’re best to monitor and alert on this.</p>
<h2 id="checking-memory-usage">Checking Memory Usage</h2>
<p>It’s relatively simple to report on the maximum memory being used by
a lambda. This can help you select an appropriate amount.</p>
<p>Lambda logs <code class="language-plaintext highlighter-rouge">maxMemoryUsed</code> for each function invocation to CloudWatch Logs.
CloudWatch Logs Insights includes a sample query that reports on overprovisioned
memory.</p>
<p>The example below is for a function that spends most of it’s time waiting
on responses from web apis. The report shows it had 976 MB memory and used
at most 275 MB in the past three days. Note that the sample query returns
figures that may be confusing due to them using a different unit (MiB) than is
used for configuring Lambda functions (MB). (I’ve requested this be fixed).</p>
<figure class="">
<img src="/images/cloudwatch-logs-insights-lambda-overprovisioned.png" alt="Log Insights" />
<figcaption>CloudWatch Logs Insights query displaying overprovisioned memory in Lambda
</figcaption>
</figure>
<h2 id="choose-good-memory-limit-for-your-function">Choose good memory limit for your function</h2>
<p>We initially decided to set the memory to 384 MB and setup an alarm to alert us
if a function uses 80% of that (307 MB). On checking CloudWatch later we saw
function duration increased after the memory was decreased. This was due to the
CPU decrease that happens when you reduce memory for the lambda. We decided to
manually increase and decrease memory until we found a sweet spot of 512 MB.
This was still a 50% decrease in cost with minimal impact on duration.</p>
<h2 id="monitor-and-alert-in-case-things-change">Monitor and alert in case things change</h2>
<p>If our lambda memory usage increases over time, we want to be notified.
Below are snippets from the CloudFormation template for our application
that write memory used to a custom CloudWatch Metric and alert us if it
gets to 80% of the maximum we have set.</p>
<h3 id="cloudwatch-logs-metric-filter">CloudWatch Logs Metric Filter</h3>
<p>A Metrics Filter parses all logs from the function and writes the
<code class="language-plaintext highlighter-rouge">max_memory_used</code> value to a custom metric. This provides a convenient
way to graph and alert on that metric.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>AppMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName:
Ref: AppDashserverLogGroup
FilterPattern: '[ report_label="REPORT", ..., label="Used:", max_memory_used_value, unit="MB" ]'
MetricTransformations:
- MetricValue: '$max_memory_used_value'
MetricNamespace: LogMetrics/Lambda
MetricName: example-app-memoryUsed'
</code></pre></div></div>
<p>I’d not come across Metrics Filters before but am glad I have. From
whatI can gather, a custom metric costs you $0.30/month but there is no
additional charge to have your CloudWatch logs filtered through a
Metrics Filter to feed it.</p>
<h3 id="cloudwatch-alarm">CloudWatch Alarm</h3>
<p>We created a CloudWatch alarm to notify us if the maximum memory used bya function exceeded 80% of what it was provisioned with.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>AppAlarmLambdaMemory:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmActions:
- Ref: AwsAlertsAlarm
AlarmDescription: Lambda memory usage above 80% for example-app-memoryUsed
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
MetricName: 'example-app-memoryUsed'
Namespace: LogMetrics/Lambda
Period: 60
Statistic: Maximum
Threshold: 307 # 80% of provisioned memory
Unit: Megabytes
</code></pre></div></div>
<h2 id="checking-your-lambdas-cost">Checking your lambda’s cost</h2>
<p>I recommend using AWS Cost Explorer to view at your lambda costs. I generally
access it via the AWS Console although I was excited to discover you can also
query it via AWSCLI).</p>
<p>Some hints to help you breakdown costs by Lambda:</p>
<ul>
<li>Filters -> Include Only -> Lambda</li>
<li>Group By -> Tag: aws:cloudformation:stack-name</li>
</ul>
<h2 id="reduced-waste-and-early-warning-against-failure">Reduced waste and early warning against failure</h2>
<p>This work will save us around $600/month running this application. It also
provides us with more visibility into memory usage and alerts for when it
increases.</p>
<p>It’s often a tough call to decide whether ROI on cost savings will justify the
effort. You don’t know till try it. If you’ve blown your budget that can be a
motivation. Hopefully the information here can help others in their efforts to
reduce waste.</p>Mike BaileyI was recently able to reduce the cost of one of our serverless applications by more than half by reducing the memory allocated to the lambdas.Why You Should Enable S3 Block Public Access2019-03-05T00:00:00+11:002019-03-05T00:00:00+11:00https://mike.bailey.net.au/2019/03/why-you-should-enable-s3-block-public-access<p>Amazon S3 enables you to accidentally share confidential information with the world.
The potential impact of misconfiguration justifies implementing controls made available
by AWS in November 2018.</p>
<p>Numerous <a href="https://github.com/nagwww/s3-leaks">data breaches</a> due to misconfigured AWS Buckets have been
reported in recent times and <a href="https://medium.com/@grayhatwarfare/how-to-search-for-open-amazon-s3-buckets-and-their-contents-https-buckets-grayhatwarfare-com-577b7b437e01">free tools</a> have been released that
can be used to scan for them. Even AWS staff have <a href="https://www.zdnet.com/article/aws-error-exposed-godaddy-server-secrets/?ref">made their buckets world readable
by mistake</a>.</p>
<p><a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html">S3 Block Public Access</a> allows you to prevent configuration of S3 Buckets and the objects
within them from being accessible to the whole world.</p>
<p>It still allows you to share objects with specified targets such as:</p>
<ul>
<li>AWS Services</li>
<li>other AWS Accounts</li>
<li>specified IP address ranges</li>
</ul>
<h2 id="how-we-got-here">How we got here</h2>
<p>Amazon S3 was the first AWS Service launched, way back in 2006. Users store
file objects in Buckets and can control access to them through a variety of
mechanisms, including:</p>
<ul>
<li>Bucket ACLs</li>
<li>Object ACLs</li>
<li>Bucket Policies</li>
<li>IAM Polcies</li>
</ul>
<p>Objects can be made accessable via:</p>
<ul>
<li>Unauthenticated Web requests (via http/https)</li>
<li>AWS API calls (via AWS Web Console, AWSCLI, SDKs, etc)</li>
<li><a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/S3Torrent.html">BitTorrent</a></li>
</ul>
<p>Confusion around the different methods for controlling access can lead to
mistakes. Amazon’s “<a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-alternatives-guidelines.html">only recommended use case</a> for the bucket
ACL is to grant write permission to the Amazon S3 Log Delivery group to write
access log objects to your bucket, yet Bucket ACLs still make it easy to make
the Bucket world readable (and even writable!).</p>
<h2 id="detecting-publicly-accessible-buckets">Detecting Publicly Accessible Buckets</h2>
<p>AWS Trusted Advisor’s <a href="https://www.amazonaws.cn/en/support/trustedadvisor/best-practices/">S3 Bucket Permissions Check</a> has been free since Feb 2018.</p>
<p>Business and Enterprise support customers can use these checks to enable
automated actions via Trusted Advisor’s <a href="http://docs.aws.amazon.com/awssupport/latest/user/cloudwatch-events-ta.html">integration with CloudWatch Events</a>.</p>
<h2 id="block-s3-public-access">Block S3 Public Access</h2>
<p>In Nov 2018, AWS launched a new feature that allows you to control against
Objects in S3 Buckets being made Public. It consists of four settings which can
be applied at the Bucket or Account level. Applying at a Bucket level may enable
the rules to be overridden.</p>
<p>Objects intended to be shared publicly (e.g. static websites) can have a Bucket
Policy with configured to grant read access to a CloudFront <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-granting-permissions-to-oai">Origin Access Identity</a>.</p>
<p>For situations where CloudFront is considered overkill (it can take ~30 minutes to provision),
users may consider granting access to a specific IP Range, AWS Account or IAM Role.</p>
<h3 id="what-does-public-mean">What does <code class="language-plaintext highlighter-rouge">Public</code> mean</h3>
<ul>
<li>
<p>ACLs: AllUsers or AuthenticatedUsers</p>
</li>
<li>
<p>Policies</p>
<p>In order to be considered non-public, a bucket policy must grant access only to
fixed values (values that don’t contain a wildcard) of one or more of the
following:</p>
<ul>
<li>A set of Classless Inter-Domain Routings (CIDRs), using aws:SourceIp. For
more information about CIDR, see RFC 4632 on the RFC Editor website.</li>
<li>An AWS principal, user, role, or service principal</li>
<li>aws:SourceArn</li>
<li>aws:SourceVpc</li>
<li>aws:SourceVpce</li>
<li>aws:SourceOwner</li>
<li>aws:SourceAccount</li>
<li>s3:x-amz-server-side-encryption-aws-kms-key-id</li>
<li>aws:userid, outside the pattern “AROLEID:*”</li>
</ul>
</li>
</ul>
<h2 id="enabling-s3-block-public-access-on-an-account">Enabling S3 Block Public Access on an Account</h2>
<p>Applying S3 Block Public Access may break things! Administrators applying this
feature should familiarize themselves with the <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html">AWS Documentation</a>.</p>
<p>In order to perform Block Public Access operations on an account, use the AWS
CLI service s3control.</p>
<p>The four settings that can be configured independantly) are:</p>
<ul>
<li><strong>BlockPublicAcls</strong>: Block setting of ACLs if they include public access</li>
<li><strong>IgnorePublicAcls</strong>: Ignore Public ACLs</li>
<li><strong>BlockPublicPolicy</strong>: Block setting of Policy that includes public access</li>
<li><strong>RestrictPublicBuckets</strong>: Restrict buckets with public Policy to same account
and AWS Principals</li>
</ul>
<p>The account-level operations that use this service are:</p>
<ul>
<li>PUT PublicAccessBlock (for an account)</li>
<li>GET PublicAccessBlock (for an account)</li>
<li>DELETE PublicAccessBlock (for an account)</li>
</ul>
<h2 id="example-cloudformation-for-granting-access-to-origin-access-identity-and-ip-range">Example CloudFormation for granting access to Origin Access Identity and IP range</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> CFOAI:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Ref AWS::StackName
Bucket:
Type: AWS::S3::Bucket
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Version: 2012-10-17
Id: PolicyForCloudFrontPrivateContent
Statement:
- Sid: Grant a CloudFront Origin Identity access to support private content
Action: "s3:GetObject"
Effect: "Allow"
Principal:
CanonicalUser: !GetAtt CFOAI.S3CanonicalUserId
Resource: !Sub "arn:aws:s3:::${Bucket}/*"
- Sid: Grant access from Trusted Network
Action: "s3:GetObject"
Effect: "Allow"
Principal: "*"
Resource: !Sub "arn:aws:s3:::${Bucket}/*"
Condition:
IpAddress:
aws:SourceIp: !Ref OfficeIp
</code></pre></div></div>Mike BaileyAmazon S3 enables you to accidentally share confidential information with the world. The potential impact of misconfiguration justifies implementing controls made available by AWS in November 2018.Don’t Buck the System, Change it2018-11-04T00:00:00+11:002018-11-04T00:00:00+11:00https://mike.bailey.net.au/2018/11/dont-buck-the-system-change-the-system<p>I don’t consider myself a Buddhist but attest to their belief that “Life is
Suffering”. Not all of it all the time, but there’s always some waiting. To
some this might sound like a pretty negative view but it doesn’t have to be.
What gives me strength is the knowledge that not <em>all</em> suffering is out of my
control.</p>
<p>This post is about making changes to systems that affect other people. It’s not
intended to cover changes to personal habits.</p>
<h1 id="find-things-worth-suffering-for">Find Things Worth Suffering For</h1>
<p>Life is change and change often involves suffering.</p>
<p>Bringing a pet into your life generally means accepting the grief the comes
with outliving them (unless you choose a <a href="https://en.wikipedia.org/wiki/White_cockatoo">White Cockatoo</a> which can live
40-60 years in captivity).</p>
<p>Improving you health, wealth or education might involve going without things
you enjoy and doing things you don’t.</p>
<p>System change that affects other people, whether in the workplace, government or
community is hard work and success is never guaranteed. If you’re going to attempt
it, make sure you choose something worth suffering for.</p>
<h1 id="serenity-courage-wisdom">Serenity, Courage, Wisdom</h1>
<p>Before the Internet came along, memes thrived in the form of kitchen calendars
and fridge magnets. You may be familiar with this one:</p>
<figure class="">
<img src="/images/serenity.png" alt="Serenity" />
<figcaption>Serenity Fridge Magnet.
</figcaption>
</figure>
<blockquote>
<p>God, grant me the serenity to accept the things I cannot change,<br />
Courage to change the things I can,<br />
And wisdom to know the difference.</p>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Serenity_Prayer">Reinhold Niebuh</a></li>
</ul>
</blockquote>
<p>Now I know Christian Theologians may not be in vogue these days but they <em>were</em>
“<a href="https://www.youtube.com/watch?v=iHmLljk2t8M">putting a bird on it</a>” long before the hipsters caught onto it. The value is
in the message, not who said it.</p>
<h2 id="accept-the-things-i-cannot-change">“Accept the Things I Cannot Change”</h2>
<p>I would change this to “Accept the things I <em>should</em> not change”:</p>
<ul>
<li>A sysadmin with root privileges <em>can</em> invade people’s privacy</li>
<li>A person in executive government <em>can</em> enact laws that cause unnecessary suffering</li>
</ul>
<p>Just because you <em>can</em> change the world to better suit you, it doesn’t follow that you <em>should</em>.</p>
<p>I accept that I cannot change all the fridge magnets. It’s reckon I <em>could</em>
get Alcoholics Anonymous to change the version they promote but <em>shouldn’t</em> because
the change:</p>
<ul>
<li>would provide little benefit to me</li>
<li>would provide little benefit to others</li>
<li>would require a huge amount of effort (including other people’s)</li>
</ul>
<p><img src="/images/maybe-do-it.jpg" alt="maybe-do-it" /></p>
<h1 id="do-you-have-skin-in-the-game">Do you have ‘skin in the game’?</h1>
<p>Just because something <em>should</em> change, that doesn’t neccessarily mean you should
be the one to do it. You know best how to scratch your own itch. Avoid trying
to lead on change that doesn’t impact on your personally. You’re unlikely to
have the passion, connection and understanding of someone with skin in the
game. By all means, support these efforts where you believe in the goals but
don’t try to own them.</p>
<blockquote>
<p>A Pig and a Chicken are walking down the road.<br />
The Chicken says: “Hey Pig, I was thinking we should open a restaurant!”<br />
Pig replies: “Hm, maybe, what would we call it?”<br />
The Chicken responds: “How about ‘ham-n-eggs’?”<br />
The Pig thinks for a moment and says: “No thanks. I’d be committed, but you’d only be involved.”</p>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Reinhold_Niebuhr">Pig and Chicken fable</a></li>
</ul>
</blockquote>
<p>It’s captured more succintly in the “<a href="https://en.wikipedia.org/wiki/Nothing_About_Us_Without_Us">Nothing About Us Without
Us</a>” mantra popular with ethnic, disability and other
marginalise groups.</p>
<h1 id="does-anyone-else-knowcare">Does anyone else know/care?</h1>
<p>Who else would benefit from the change? Who would suffer? If there isn’t the
likelihood of a net benefit to the group, you’re unlikely to get the buy-in
required to make the change. Unless you intend to mislead or coerce people
into doing things your way, you’re probably best accepting this as a thing
you shouldn’t change.</p>
<h2 id="courage-to-change-the-things-i-can">“Courage to Change the Things I Can”</h2>
<p>I don’t think most people realise how malleable the world is. The video below
says it better than I can.</p>
<iframe width="560" height="315" src="https://www.youtube.com/embed/zklbZR9025Y" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen=""></iframe>
<blockquote>
<p>“When you grow up you tend to get told that the world is the way it is and
your life is just to live your life inside the world. Try not to bash into
the walls too much. Try to have a nice family life, have fun, save a little
money. That’s a very limited life. Life can be much broader once you discover
one simple fact: Everything around you that you call life was made up by
people that were no smarter than you. And you can change it, you can
influence it… Once you learn that, you’ll never be the same again.”</p>
<ul>
<li>Steve Jobs</li>
</ul>
</blockquote>
<h2 id="and-the-wisdom-to-know-the-difference">“And the Wisdom to Know the Difference”</h2>
<p>I’m not sure about wisdom but I hope this post offers some food for thought.</p>Mike BaileyI don’t consider myself a Buddhist but attest to their belief that “Life is Suffering”. Not all of it all the time, but there’s always some waiting. To some this might sound like a pretty negative view but it doesn’t have to be. What gives me strength is the knowledge that not all suffering is out of my control.Semantic CloudFormation Parameter Values2018-11-03T00:00:00+11:002018-11-03T00:00:00+11:00https://mike.bailey.net.au/2018/11/semantic-cloudformation-parameter-values<p>Here’s a <strong>pure Cloudformation</strong> solution to two annoyances I encounter when
managing AWS CloudFormation Parameters. It allows you to <em>optionally</em> specify
exported CloudFormation Output values in your CloudFormation Parameters.</p>
<p>Most resources I deploy on AWS are managed via CloudFormation using reusable
templates and custom Parameters. Configuring the Parameters often requires
looking up resource identifiers for VPCs, Subnets, Route Tables and the like.</p>
<p>Here are the Parameters for a stack that creates routes for a VPC Peering Connection:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[
{
"ParameterKey": "RemoteSubnet1CIDR",
"ParameterValue": "10.0.38.0/24"
},
{
"ParameterKey": "RemoteSubnet2CIDR",
"ParameterValue": "10.0.39.0/24"
},
{
"ParameterKey": "RouteTable1",
"ParameterValue": "rtb-01234567"
},
{
"ParameterKey": "RouteTable2",
"ParameterValue": "rtb-12345678"
},
{
"ParameterKey": "VpcPeeringConnection",
"ParameterValue": "pcx-11111111111111111"
}
]
</code></pre></div></div>
<h3 id="the-annoyances">The Annoyances</h3>
<p>I love CloudFormation but the file above annoys me for two reasons:</p>
<ol>
<li>
<p>It doesn’t convey much about these route tables or subnets</p>
<p>These routes are for the <code class="language-plaintext highlighter-rouge">bma-prod</code> VPC to get to <code class="language-plaintext highlighter-rouge">internal</code> subnets on <code class="language-plaintext highlighter-rouge">failmode-prod</code>.
In order to work that out you would need to lookup each value. That’s toil.</p>
</li>
<li>
<p>I had to query AWS to find these values</p>
<p>When creating the Parameters file for the <code class="language-plaintext highlighter-rouge">non-prod</code> account, I would need to lookup
all these values again. That’s toil.</p>
</li>
</ol>
<h3 id="semantic-cloudformation-parameter-values">Semantic CloudFormation Parameter Values</h3>
<p>The VPCs I deploy export <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html">Stack Output</a> values that can be imported by other Stacks.
These are given unique names by prepending the stack name to the value identifer.</p>
<p>I resolved both annoyances above by updating my Parameters file to refer to these values:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[
{
"ParameterKey": "RemoteSubnet1CIDR",
"ParameterValue": "import:vpc-failmode-prod-SUBNETINTERNAL1CIDR"
},
{
"ParameterKey": "RemoteSubnet2CIDR",
"ParameterValue": "import:vpc-failmode-prod-SUBNETINTERNAL2CIDR"
},
{
"ParameterKey": "RouteTable1",
"ParameterValue": "import:vpc-bma-prod-RTBPRIVATE1"
},
{
"ParameterKey": "RouteTable2",
"ParameterValue": "import:vpc-bma-prod-RTBPRIVATE2"
},
{
"ParameterKey": "VpcPeeringConnection",
"ParameterValue": "pcx-11111111111111111"
}
]
</code></pre></div></div>
<h3 id="adding-support-to-the-stack-template">Adding Support to the Stack Template</h3>
<p>This pure CloudFormation pattern supports both of the Parameter styles shown above. We define some
conditions that look for <code class="language-plaintext highlighter-rouge">import:</code> at the start of a Parameter value and this
determines whether it should be imported or simply used as a string.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>AWSTemplateFormatVersion: '2010-09-09'
Description: VPC Peering Routes
Parameters:
VpcPeeringConnection:
AllowedPattern: ^pcx-[a-f0-9]+$
ConstraintDescription: Must be a valid VPC peering ID
Description: VPC Peering connection ID
MinLength: '12'
MaxLength: '21'
Type: String
RemoteSubnet1CIDR:
Description: CIDR range of Remote Internal subnet 1
Type: String
RemoteSubnet2CIDR:
Description: CIDR range of Remote Internal subnet 2
Type: String
RouteTable1:
Description: Local Route Table 1
Type: String
RouteTable2:
Description: Local Route Table 2
Type: String
Conditions:
ImportRemoteSubnet1CIDR: !Equals [ "import", !Select [ 0, !Split [ ":", !Ref RemoteSubnet1CIDR ] ] ]
ImportRemoteSubnet2CIDR: !Equals [ "import", !Select [ 0, !Split [ ":", !Ref RemoteSubnet2CIDR ] ] ]
ImportRouteTable1: !Equals [ "import", !Select [ 0, !Split [ ":", !Ref RouteTable1 ] ] ]
ImportRouteTable2: !Equals [ "import", !Select [ 0, !Split [ ":", !Ref RouteTable2 ] ] ]
Resources:
RouteTable1ToRemoteSubnet1:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: !If
- ImportRemoteSubnet1CIDR
- Fn::ImportValue: !Select [ 1, !Split [ ":", !Ref RemoteSubnet1CIDR ] ]
- !Ref 'RemoteSubnet1CIDR'
RouteTableId: !If
- ImportRouteTable1
- Fn::ImportValue: !Select [ 1, !Split [ ":", !Ref RouteTable1 ] ]
- !Ref 'RouteTable1'
VpcPeeringConnectionId: !Ref 'VpcPeeringConnection'
</code></pre></div></div>
<h3 id="conclusion">Conclusion</h3>
<p>I like this pattern because it:</p>
<ul>
<li>makes it easier to create and read parameter files</li>
<li>doesn’t have any external dependancies</li>
<li>also supports specifying resource ids as strings</li>
</ul>
<p>Feedback welcome in the comments.</p>Mike BaileyHere’s a pure Cloudformation solution to two annoyances I encounter when managing AWS CloudFormation Parameters. It allows you to optionally specify exported CloudFormation Output values in your CloudFormation Parameters.Smoking: Prevention & Treatment2015-10-25T21:12:00+11:002015-10-25T21:12:00+11:00https://mike.bailey.net.au/2015/10/smoking-prevention-and-treatment<p>When it comes to life threatening situations, prevention and treatment serve
different purposes and importantly, different populations.</p>
<p>For example, responses to the AIDS epidemic in the 1980s included campaigns to
educate the public on how to reduce their risk of contracting HIV as well as
research into a cure. Effective treatment options were discovered which greatly
improve the prognosis for infected people with access to them.</p>
<p>During this same period, our public health bodies seem to have focussed on prevent but
have failed to identify effective methods for people who want to stop smoking. The
<a href="http://www.quit.org.au/preparing-to-quit/choosing-best-way-to-quit">methods many organisations promote</a> see reported relapse rates of around
80% within the first six months.</p>
<p>These include:</p>
<ul>
<li>Cold Turkey (Quitting abruptly)</li>
<li>Nicotine Replacement Products (Patches, gum, lozenge, mouth spray, inhalator)</li>
<li>Quitting Medication (Champix or Zyban)</li>
</ul>
<p>It’s unfathomable that ineffective treatments for tobacco addiction are being
promoted while little effort is made to identify effective methods for people
to use to stop smoking.</p>
<p>Australia’s <a href="http://www.nationaldrugstrategy.gov.au/internet/drugstrategy/publishing.nsf/Content/national_ts_2012_2018">National Tobacco Strategy</a> lists a number of objectives which
include:</p>
<ul>
<li>prevent uptake of smoking</li>
<li>encourage and assist as many smokers as possible to quit as soon as possible, and prevent relapse</li>
</ul>
<p>These objectives assist two separate populations, never smokers and smokers.
The needs of people who smoke cannot be served meaningfully while we do not
have effective methods for them to quit.</p>
<p>The reduction in smoking rates in Australia this century have been mainly due to an
increase in never-smokers with the percentage of ex-smokers staying faily constant.</p>
<p><strong><a href="http://www.aihw.gov.au/alcohol-and-other-drugs/ndshs-2013/">National Drug Strategy Household Survey 2013</a> - Tobacco Smoking Status</strong></p>
<blockquote>
<p>one-quarter (24%) of the population were ex-smokers and this has remained
fairly stable since 1998 when the proportion of ex-smokers first exceeded the
proportion smoking daily</p>
</blockquote>
<p><img src="/images/ndshs-2013-tobacco-smoking-status-1991-2013.png" alt="'one-quarter (24%) of the population were ex-smokers and this has remained fairly stable since 1998 when the proportion of ex-smokers first exceeded the proportion smoking daily' 'one-quarter (24%) of the population were ex-smokers and this has remained fairly stable since 1998 when the proportion of ex-smokers first exceeded the proportion smoking daily'" class="img-responsive" /></p>
<p>Australia’s smoking bans, tax hikes, advertising campaigns and other efforts may have
contributed to reduced uptake of smoking but do not appear to have made quitting easier.
While focussing on the children, there have been little change in daily smoking seen
among people aged 60 or older this century.</p>
<p><img src="/images/ndshs-2013-daily-smokers-2001-2013.png" alt="daily smokers" /></p>
<p>We know that most smokers <a href="http://www.ncbi.nlm.nih.gov/pubmed/15799597">regret taking up the habit</a>. We need to acknowledge
the high relapse rates for currently promoted smoking cessation methods and
get to work identifying effective alternatives.</p>
<p>In 2013, around 40% of Australians who smoke heavily tried to give up
unsuccessfully (<a href="http://www.aihw.gov.au/alcohol-and-other-drugs/ndshs-2013/">NDSHS</a>). We don’t need to be convinced we should quit, we
need to know how.</p>Mike BaileyWhen it comes to life threatening situations, prevention and treatment serve different purposes and importantly, different populations.How to Save Money2014-01-08T22:11:00+11:002014-01-08T22:11:00+11:00https://mike.bailey.net.au/2014/01/how-to-save-money<p>Are you price conscious in your everyday spending? A lot of us aren’t for the
basic reason that it consumes brain cycles for little percieved reward.
Quitting smoking led to an adjustment in the way I value money. Forking out $20 a
day for something the literally goes up in smoke can make saving $5 a day on
parking seem pretty irrelevant.</p>
<p>In considering my monthly spend I found a number of ways I could spend less
without any real impact on my quality of life. Perhaps some of these could
help you?</p>
<h2 id="stop-smoking-start-vaping-600mon">Stop Smoking, Start Vaping ($600/mon)</h2>
<p>I’d describe myself as dependant on nicotine. My pack a day habit was costing
me $600 a month. I’m now using a vapouriser to get my nicotine fix for $20 a
month.</p>
<h2 id="park-10-minutes-walk-from-office-110mon">Park 10 minutes walk from office ($110/mon)</h2>
<p>Adding 20 minutes of gentle exercise to my otherwise sedentary existance saves me
a packet.</p>
<h2 id="stop-buying-takeaway-coffee-88mon">Stop buying takeaway coffee ($88/mon)</h2>
<p>We have coffee machines at work. It’s free and I’m a good milk frother.</p>
<h2 id="find-cheaper-car-insurance-35mon">Find cheaper car insurance ($35/mon)</h2>
<p>I was surprised how easy this one was. Thanks Google.</p>
<h2 id="buy-supermarket-milk-30mon">Buy supermarket milk ($30/mon)</h2>
<p>I was under the mistaken impression that the branded milk was better.</p>
<iframe width="560" height="315" src="//www.youtube.com/embed/IIOvRO8k7uI" frameborder="0" allowfullscreen=""></iframe>
<h2 id="pay-less-for-petrol-12mon">Pay Less for Petrol ($12/mon)</h2>
<p>There’s about a 10% difference between low and high prices for petrol depending
on when in the cycle you fill up. I can save $6 on a 40 litre tank by filling up
at the right time.</p>
<p>A tank lasts me 2 weeks. If you need to fill more often YMMV.</p>
<p><img src="http://www.accc.gov.au/sites/www.accc.gov.au/files/fuelwatch/melbourne.jpg" alt="ACCC report on Australian petrol price cycle" /></p>
<p>Vendors try to mix it up but the graph above is updated daily and gives a good
idea of when it’s a good time to buy. They also have <a href="http://www.accc.gov.au/consumers/petrol-diesel-and-lpg/recent-city-petrol-prices">petrol prices for other Australian states</a>.</p>
<h2 id="dont-buy-premium-fuel-unless-your-car-needs-it-8mon">Don’t buy premium fuel unless your car needs it ($8/mon)</h2>
<p>I’ve not a petrol head and haven’t even researched this one very well but started
saving around $4 on a tank of fuel by not paying for premium.</p>
<p>Australian petrol stations market several types of unleaded petrol. They tend to
be 91, 95 and 98 “octane”. I don’t know much about fuel and the higher numbers
cost more so I tended to choose 95 or 98 thinking I must be getting more from
it.</p>
<p>It turns out some cars (European) require high octane fuels or their performance
deteriorates. I checked my Subaru manual and it said I was fine using 91 octane fuel.</p>Mike BaileyAre you price conscious in your everyday spending? A lot of us aren’t for the basic reason that it consumes brain cycles for little percieved reward. Quitting smoking led to an adjustment in the way I value money. Forking out $20 a day for something the literally goes up in smoke can make saving $5 a day on parking seem pretty irrelevant.Truth about Edinburgh Gardens NYE2014-01-06T19:36:00+11:002014-01-06T19:36:00+11:00https://mike.bailey.net.au/2014/01/edinburgh-gardens<p>What happens when more 15,000 revellers converge on an inner city Melbourne
park to ring in the new year with no perimeter fencing, byo drugs/alcohol and
just 12 police officers on duty?</p>
<p>A potential horror story of violence and destruction didn’t eventuate but
this hasn’t stopped the media from describing it as such.</p>
<p>There are over different 15,000 versions of NYE in Edinburgh Gardens 2014 and I
suspect most people had a pretty fun time. The fact it turned out to be a
largely peaceful celebration despite the absence of any effective crowd
control seems both newsworthy and worthy of further discussion.</p>
<blockquote>
<p>Ms Fristacky says local residents had varied views of the New Year’s Eve
party. “Quite a few residents who attended said it was a great night, they
enjoyed it, it was 20,000 people mostly peaceful, yes there were some
incidents, but they were isolated.”</p>
<p><a href="http://www.abc.net.au/local/audio/2014/01/02/3919817.htm">City of Yarra Mayor quoted by ABC</a></p>
</blockquote>
<p>Reading between the lines, the night sounds a bit like a night at an open air
music festival like Meredith or Golden Plains. Events like these show us that
while we will never be completely rid of dickheads, most people want to be good
to each other.</p>
<p>Misrepresentation of the evening and villification it’s participants has spread
righteous indignation far beyond residents of the parks gentrified surrounds.
Yarra Council is now facing increased pressure to crack down on park users.</p>
<h2 id="trashing-the-gardens">‘Trash’ing the Gardens</h2>
<p>We were told the park was <a href="http://www.theage.com.au/victoria/council-counts-cost-of-trashed-park-after-dance-party-20140101-3063f.html">trashed</a>. While this brings thoughts of vandalism and
permanent damage, reporters were actually referring to litter, most of which
was all picked up and removed by Council staff and volunteers by sunset on 1
Jan.</p>
<p>Now don’t get me wrong, there was a whole lot of litter. The place was a mess
but one man’s trash is another man’s treasure and the indignation inspiring
imagery was media gold for the evening news and daily papers.</p>
<figure class="">
<img src="/images/edinburgh-gardens-rubbish.jpg" alt="" />
<figcaption>What kind of people would do this?
</figcaption>
</figure>
<blockquote>
<p>“inadequate lighting and excessive crowding also appeared to dissuade people
from using the rubbish bins and toilet facilities provided, with significant
complaints about public urination;”</p>
<ul>
<li><a href="http://www.yarracity.vic.gov.au/DownloadDocument.ashx?DocumentID=10222">Council Report</a></li>
</ul>
</blockquote>
<figure class="">
<img src="/images/boys-in-park.png" alt="" />
<figcaption>Oh yeah, people partying in the dark
</figcaption>
</figure>
<p>Music festivals like Meredith and Golden Plains see attendees cleaning up the
mess from the night before when the sun rises.</p>
<h2 id="fence-climbing">Fence Climbing</h2>
<p>Climbing can be fun but the recently installed tennis court fences aren’t very
strong. The top bars slipped under the weight of people climbing on them. The
Herald Sun reported this as <a href="http://www.heraldsun.com.au/news/victoria/happy-new-year-victoria-parties-into-2014/story-fni0fit3-1226792796876">vandalism</a>. By these standards your
average two year old is a wanton vandal.</p>
<figure class="">
<img src="/images/fence-climbing.png" alt="" />
<figcaption>Darwin was Right
</figcaption>
</figure>
<h2 id="casualties">Casualties</h2>
<blockquote>
<p>Ambulance staff set up an emergency triage area in the park, where they
treated about 20 people.</p>
<p>Most were treated for alcohol-related problems, while others suffered cuts
from broken glass in the park.</p>
<p><a href="http://www.abc.net.au/news/2014-01-01/paramedics-outraged-by-dangerous-nye-party/5180670">“Paramedics Outraged”</a></p>
</blockquote>
<p>Meredith and Golden Plains are two music festivals where you can bring your own alcohol but have a strict NO GLASS POLICY.</p>
<p>There were two violent acts reported. A man lost several teeth when he was
<a href="http://www.theage.com.au/victoria/mans-teeth-smashed-in-attack-during-edinburgh-gardens-new-years-eve-party-20140102-306ji.html">punched in the face</a> and a seventeen year old boy was arrested
after he allegedly <a href="http://www.theage.com.au/victoria/messy-new-years-eve-in-edinburgh-gardens-north-fitzroy-20140101-305ag.html">punched a female police officer</a> in the face.</p>
<p>I don’t think anyone has worked out a solution to dickheads but MMF try:</p>
<blockquote>
<p>Festivals at the Meredith Supernatural Amphitheatre have a No Dickhead Policy.</p>
<p>Essentially this is a self-policing policy whereby ‘the dickhead’ is not
celebrated at the festival. Dickheads or people involved in dickhead
behaviour will usually find that a solid citizen will firmly but politely
inform them that their dickhead behaviour is not admired or appreciated. The
Dickhead will usually realise they are being a dickhead and pull their head
in. If not, our Helpers or Staff or even Security might make a discreet
intervention.</p>
<p>So if you are a Dickhead, this festival isn’t for you.</p>
<p><a href="http://2013.mmf.com.au/what-goes-on/dickhead-policy/">MMF No Dickhead Policy</a></p>
</blockquote>
<h2 id="hey-rupert-stop-bashing-our-youth">Hey Rupert, Stop Bashing Our Youth</h2>
<p>Demonising our youth may sell papers but what does it do to our social fabric?
Crafting words that stir up moral panic doesn’t make life easier for anyone.</p>
<p>The sky is not falling and the connected generations are not falling for your lies.</p>Mike BaileyWhat happens when more 15,000 revellers converge on an inner city Melbourne park to ring in the new year with no perimeter fencing, byo drugs/alcohol and just 12 police officers on duty?Fun with Retinal Burns2012-11-26T23:32:11+11:002012-11-26T23:32:11+11:00https://mike.bailey.net.au/2012/11/fun-with-retinal-burns<p><strong>Disclaimer: Don’t look at any bright light source. It may damage your eyes!</strong></p>
<p>The sound of a fly buzzing meant one more thing for me to before going to bed.
What happened next took me by surprise and provided some fascinating
entertainment that I thought I’d share with you.</p>
<p>Returning from the kitchen with a can of fly spray, I heard it’s intended
target was in the last remaining light source in my house - the big orange
lampshade by the couch. After peering down into the lampshade and releasing a
couple of light sprays I returned to the darkened kitchen only to notice I was
seeing spots, three large overlapping ones to be precise.</p>
<p>These black Venn Diagrammesque apparitions were due to photobleaching of the
chemicals my eyes use to sense light. They were in three distinct places
because the eye flicks quickly when scanning - if I had been watching a marble
race I’m sure it would have been a circle.</p>
<p>Anyway, we’ve all see spots right? What was really neat was what I discovered
next…</p>
<p>Covering my eye made the spots go a light colour. Looking at the pantry doors
resulting in them being dark. The spots faded within seconds however covering
my eyes brought them back, as did shifting my gaze to a different area in the
room. I think I’ve found a new way to demonstrate perceptual filling-in. Until
now I’ve only heard of <a href="http://www.med.yale.edu/neurobio/mccormick/fill_in_seminar/introduction.html">blind spot
fill-in</a>.</p>
<p>The beauty of retinal burn fill-in is that you don’t need to find your blind
spot, or be a certain distance from things as you can control where you place
the burn. It’s amazing to watch the burn dissolve as the brain fills in the
missing information. I’d advise against deliberately looking into any bright
light source <strong>but</strong> next time it happens I suggest you use the opportunity to
experience first hand the difference between the signals your eyes send and
what you perceive.</p>mbaileyDisclaimer: Don’t look at any bright light source. It may damage your eyes!Vagrant notes2012-10-06T22:38:25+10:002012-10-06T22:38:25+10:00https://mike.bailey.net.au/2012/10/vagrant-notes<p>I’m a massive fan of <a href="http://vagrantup.com/">Vagrant</a>’s command line
virtualisation goodness. This post is me trying to find a public place for my
vagrant notes to rest (I couldn’t find a cardboard box).</p>
<h3 id="vagrant-hostmaster"><a href="https://github.com/mosaicxm/vagrant-hostmaster">vagrant-hostmaster</a></h3>
<p>This vagrant rubygem plugin automatically updates /etc/hosts on your guests and
host box each time you run vagrant [up|provision]</p>
<h3 id="vagrant-vbguest"><a href="https://github.com/dotless-de/vagrant-vbguest">vagrant-vbguest</a></h3>
<p><em>vagrant-vbguest</em> is a <a href="http://vagrantup.com/">Vagrant</a> plugin which
automatically installs the host’s VirtualBox Guest Additions on the guest
system.</p>mbaileyI’m a massive fan of Vagrant’s command line virtualisation goodness. This post is me trying to find a public place for my vagrant notes to rest (I couldn’t find a cardboard box).