Python on Bastab C

Infrastructure as Code with AWS CDK - Series Overview

Mon, 21 Apr 2025 00:00:00 +0000

AWS CDK lets you define cloud infrastructure in familiar programming languages - Python, TypeScript, Java - and synthesise it into CloudFormation. Compared to writing raw CloudFormation or Terraform HCL, CDK gives you loops, conditionals, type safety, and the ability to share constructs across teams as libraries.

This series works through practical CDK patterns using Python, using a consistent use case across all parts to make trade-offs easy to compare.

Use case

Deploy an AWS Lambda function that processes files uploaded to an S3 bucket. Configuration - bucket name, log level, Lambda timeout - varies per environment (dev, staging, prod).

Simple infrastructure by design. The focus is on the CDK patterns, not the resources.

The series

Chapter 1 - Project setup and bootstrapping

Getting a CDK project off the ground - directory structure, virtual environments, bootstrapping an AWS account, and understanding the synth/deploy cycle.

Chapter 2 - Managing configuration and context

How environment-specific values flow into CDK stacks - four approaches covering local static config, local dynamic config, SSM Parameter Store, and Secrets Manager, with trade-offs and code examples for each.

Building reusable constructs - L1, L2, L3 abstractions, packaging as a library, and sharing across projects or teams.

Chapter 4 - Testing CDK stacks (coming soon)

Unit testing stacks with assertions, snapshot testing, and integration testing patterns.

Chapter 5 - CI/CD with CDK (coming soon)

Automating deployments with CDK Pipelines - self-mutating pipelines, promoting changes across environments, and handling rollbacks.

Notes

All examples use Python and CDK v2
Steps are tested on WSL2/Ubuntu on Windows and native macOS terminal
More chapters added as I work through these patterns

GitHub PR Fix: "Commits must have verified signatures" blocking PR merge

Sat, 25 Apr 2026 00:00:00 +0000

Problem

GitHub branch protection requires all commits to have verified GPG signatures. Two commits at the base of the branch (made before GPG signing was configured) were unsigned, blocking the merge.

Root cause

Commits made before commit.gpgsign=true was configured in git have no GPG signature. GitHub requires all commits in a PR to be verified - one unsigned commit blocks the merge regardless of approvals.

Steps to fix

1. Identify unsigned commits

git log --format="%G? %ad %s" --date=short origin/main..HEAD

Look for lines starting with N (no signature). Note the hash of the oldest unsigned commit’s parent on main.

2. Re-sign all branch commits using filter-branch

git filter-branch -f --commit-filter 'git commit-tree -S "$@"' -- origin/main..HEAD

Rewrites all branch commits adding a GPG signature - no content changes, no conflicts.

3. Verify no unsigned commits remain

git log --format="%G?" origin/main..HEAD | Select-String "^N$"

Should return nothing.

4. Force push

Attempt force push via terminal using the configured remote:

git push --force origin <branch>

If this fails with “repository not found” (HTTPS remote, no credentials) or “Could not read from remote repository” (SSH not configured), use a classic PAT with repo scope directly in the URL:

git push --force https://<username>:<PAT>@github.com/<org>/<repo>.git <branch>

5. Update local tracking ref (if GitHub Desktop shows stale state)

git update-ref refs/remotes/origin/<branch> <tip-commit-hash>

Notes

Avoid git rebase --exec "git commit --amend -S" if the branch has merge commits - it drops them and causes conflicts
Avoid git rebase --rebase-merges - re-applying old merge commits causes conflicts from the original merges
filter-branch rewrites commit objects without replaying merges, which is what’s needed here
Fine-grained PATs do not work for org repositories - use classic PAT only
After force pushing, avoid git pull / IDE auto-sync until the PR is merged - it will re-introduce the old unsigned commits via a new merge

AWS CDK - Project Setup and Bootstrapping

Sun, 11 May 2025 00:00:00 +0000

This is Chapter 1 of the Infrastructure as Code with AWS CDK series. Before writing any stack code, the project needs to be initialised and the AWS account needs to be bootstrapped. This covers both.

Prerequisites

Python 3.9+
Node.js 18+ (CDK CLI is a Node package)
AWS CLI v2 configured with valid credentials - see Connect to AWS SSO and SSH into EC2 Instance
An AWS account with permissions to create IAM roles, S3 buckets, and CloudFormation stacks

Install the CDK CLI globally:

npm install -g aws-cdk
cdk --version

Initialise project

Create a new directory and initialise a CDK Python project inside it:

mkdir my-cdk-app && cd my-cdk-app
cdk init app --language python

This scaffolds the project with a virtual environment, a sample stack, and a cdk.json config file.

Activate the virtual environment and install dependencies:

# macOS / Linux
source .venv/bin/activate

# Windows (PowerShell)
.venv\Scripts\activate.ps1

pip install -r requirements.txt

Directory structure

After initialisation the project looks like this:

my-cdk-app/
├── app.py                  # CDK app entry point
├── cdk.json                # CDK config and context
├── requirements.txt        # Python dependencies
├── requirements-dev.txt    # Dev dependencies (e.g. pytest)
├── .venv/                  # Python virtual environment
└── my_cdk_app/
    ├── __init__.py
    └── my_cdk_app_stack.py # Default stack

app.py is where the CDK app is defined and stacks are instantiated. my_cdk_app_stack.py is where resources are defined. The folder and class names match the project name passed to cdk init.

Bootstrap AWS account

CDK needs a one-time setup in each AWS account and region it deploys to. Bootstrapping creates an S3 bucket (for assets) and IAM roles (for deployments) in the account:

cdk bootstrap aws://123456789012/us-east-1

Replace 123456789012 with your account ID and us-east-1 with your target region. If credentials are already configured via AWS CLI or SSO, the account ID can be omitted:

cdk bootstrap

This only needs to run once per account/region combination. Re-running it is safe - it updates the bootstrap stack if needed.

Synth and deploy

CDK compiles Python into CloudFormation before deploying. Run synth to see the generated CloudFormation template:

cdk synth

This outputs a CloudFormation template to cdk.out/. Use it to verify what CDK will create before deploying.

Deploy the stack:

cdk deploy

CDK shows a diff of changes and prompts for confirmation before creating or modifying any IAM resources.

Verify

After deploying, the stack appears in CloudFormation in the AWS console. Check:

CloudFormation > Stacks > MyCdkAppStack - status should be CREATE_COMPLETE
S3 > Buckets - the CDK bootstrap bucket should be visible (cdk-hnb659fds-assets-...)

To tear down the stack:

cdk destroy

Notes

The bootstrap stack itself is a CloudFormation stack - it can be viewed and managed in the console under CDKToolkit
Each AWS account + region combination needs its own bootstrap - e.g. deploying to both us-east-1 and ap-southeast-2 requires bootstrapping both
cdk synth is useful for debugging - the generated CloudFormation is in cdk.out/ and can be inspected directly
The .venv/ folder and cdk.out/ should be in .gitignore - they are added automatically by cdk init

Install CloudWatch agent in EC2 Instance

Thu, 03 Apr 2025 00:00:00 +0000

EC2 does not send memory or disk metrics to CloudWatch by default - only CPU, network and status checks. The CloudWatch agent runs inside the instance and collects system-level metrics and logs directly.

Prerequisites

EC2 instance running (Amazon Linux 2 or Ubuntu)
SSH access to the instance - see Connect to AWS SSO and SSH into EC2 Instance
Terminal

Attach IAM role to the instance

The agent needs permission to write metrics and logs to CloudWatch. In the AWS console:

EC2 > Instances > select your instance
Actions > Security > Modify IAM role
Attach a role that has CloudWatchAgentServerPolicy managed policy

If no such role exists, create one:

IAM > Roles > Create role
Trusted entity: AWS service > EC2
Add permission: CloudWatchAgentServerPolicy
Name it (e.g. ec2-cloudwatch-agent-role) and create

Install the agent

SSH into the instance, then run the appropriate command for your OS.

Amazon Linux 2:

sudo yum install -y amazon-cloudwatch-agent

Ubuntu:

sudo apt-get install -y amazon-cloudwatch-agent

Configure the agent

Run the configuration wizard - it steps through metrics and log collection interactively:

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

Alternatively, create a config file manually at /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json:

{
  "agent": {
    "metrics_collection_interval": 60,
    "run_as_user": "root"
  },
  "metrics": {
    "namespace": "CWAgent",
    "metrics_collected": {
      "mem": {
        "measurement": ["mem_used_percent"]
      },
      "disk": {
        "measurement": ["disk_used_percent"],
        "resources": ["/"]
      }
    }
  }
}

Collects memory and disk usage every 60 seconds under the CWAgent namespace.

Start the agent

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \
  -a fetch-config \
  -m ec2 \
  -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json \
  -s

Verify

Check the agent is running:

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status

Expected output:

{
  "status": "running",
  "starttime": "...",
  "version": "..."
}

In the AWS console, go to CloudWatch > Metrics > All metrics > CWAgent to confirm metrics are coming in. Give it 2-3 minutes after starting for metrics to show up.

Notes

If the instance had no IAM role before, restart the agent after attaching the role - it picks up credentials on start
The wizard config is saved to /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json by default
To collect logs, add a logs block to the config pointing to the log file paths
Agent logs are at /opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log - check here if metrics are not appearing

Connect to AWS SSO and SSH into EC2 Instance

Mon, 17 Mar 2025 00:00:00 +0000

Two paths depending on your setup - follow one:

Without SSO: personal AWS account, direct IAM credentials
With SSO: enterprise/team setup with an SSO start URL (e.g. https://company.awsapps.com/start)

Prerequisites

Without SSO:

AWS CLI v2
AWS IAM user credentials (Access Key ID and Secret Access Key)
Terminal

With SSO:

AWS CLI v2
AWS SSO start URL and access
Terminal

Files you will need

~/
├── .aws/
│   ├── config
│   └── credentials
└── .ssh/
    ├── ec2-key.pem
    └── config

Path A: Without SSO

Create .aws folder if it doesn’t exist. Run from your home directory (~).

mkdir -p ~/.aws

Create ~/.aws/credentials.

[default]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

Create ~/.aws/config.

[default]
region = ap-southeast-2
output = json

Test your config.

aws sts get-caller-identity

Path B: With SSO

Add a profile block to ~/.aws/config for each environment (e.g. aws-dev, aws-prod):

[profile aws-prod]
sso_session = aws-prod
sso_account_id = 123456789123
sso_role_name = aws-prod-SystemAdmin
region = ap-southeast-4
output = json
credential_process = aws configure export-credentials --profile aws-prod

Sample .aws folder structure:

Setup SSH config

Download the .pem keypair when launching the EC2 instance and move it here.

mkdir -p ~/.ssh
mv ~/Downloads/ec2-prod.pem ~/.ssh/ec2-prod.pem
chmod 400 ~/.ssh/ec2-prod.pem

Basic SSH config (no SSO)

Add to ~/.ssh/config:

Host ec2-prod
    HostName 1.2.3.4             # Replace with your EC2's public IP
    User ec2-user                # Use 'ubuntu' for Ubuntu instances
    IdentityFile ~/.ssh/ec2-prod.pem

SSO ProxyCommand config

Use this if connecting via AWS SSM Session Manager with an SSO profile. Add to ~/.ssh/config (or a separate file under ~/.ssh/config.d/):

Host ec2-prod
  User ec2-user
  IdentityFile ~/.ssh/ec2-prod.pem
  ProxyCommand aws ssm start-session --target i-01xyz7659824a123q --profile aws-prod --document-name AWS-StartSSHSession --parameters portNumber=22

Sample .ssh folder structure:

Connect

If using SSO, log in first:

aws sso login --profile aws-prod

Then SSH in:

ssh ec2-prod

Python on Bastab C

Infrastructure as Code with AWS CDK - Series Overview

Use case

The series

Chapter 1 - Project setup and bootstrapping

Chapter 2 - Managing configuration and context

Chapter 3 - Writing and sharing constructs (coming soon)

Chapter 4 - Testing CDK stacks (coming soon)

Chapter 5 - CI/CD with CDK (coming soon)

Notes

GitHub PR Fix: "Commits must have verified signatures" blocking PR merge

Problem

Root cause

Steps to fix

1. Identify unsigned commits

2. Re-sign all branch commits using filter-branch

3. Verify no unsigned commits remain

4. Force push

5. Update local tracking ref (if GitHub Desktop shows stale state)

Notes

AWS CDK - Project Setup and Bootstrapping

Prerequisites

Initialise project

Directory structure

Bootstrap AWS account

Synth and deploy

Verify

Notes

Install CloudWatch agent in EC2 Instance

Prerequisites

Attach IAM role to the instance

Install the agent

Configure the agent

Start the agent

Verify

Notes

Connect to AWS SSO and SSH into EC2 Instance

Prerequisites

Files you will need

Path A: Without SSO

Path B: With SSO

Setup SSH config

Connect