it’s just for my portfolio. it’s like self-hosting for enterprise
Comment on Deploying Nextcloud on AWS ECS with Pulumi
magikmw@piefed.social 4 days ago
All comments about overkill are amusing. You do you. Did you learn stuff?
Maybe you can replace some of those tools with less expensive analogs, how's the cost anyway?
joegarciar3a3294@lemmy.world 4 days ago
aurelian@lemmy.ml 3 days ago
If you want it to stand out don’t automate the compute and networking that’s so standardized these days that anyone can do it, Automated those IAM permissions.
I know that when hiring nothing gets me more excited about a candidate than them understanding how to securely bootstrap an environment.
joegarciar3a3294@lemmy.world 1 day ago
it is actually possible to add non-root iam accounts using your root iam account. however, in order to do that, you first have to create an access key for your root user, which is not recommended by aws.
Imagethe method is to manually create a non-root user, add an initial iam permission to modify the iam resources, and automate the additional iam permission agregation via script in gitlab-ci.yml
loudwhisper@infosec.pub 4 days ago
In that case, Pulumi permissions are too broad IMHO for what it has to do, an enterprise should adhere to least privilege. Likewise, as I wrote in another comment, the egress security groups are unclear to me (why any traffic at all is needed?) and the image consumed should be pinned to a digest. Or better yet, should be coming from a private enterprise registry, ideally with an attestation that can be verified at runtime.
I am not sure ECS Fargate makes sense vs an ec2 instance to run the workload. This setup alone will cost about $30/month assuming half a vCPU per replica with Fargate, plus about $12 for the memory (1GB/task). 2xt2.micro could be run for ~$20 without even considering reservation discounts etc. Obviously the gap will become even larger at scale, which I suppose might be very interesting for an enterprise.
cichy1173@szmer.info 4 days ago
If that’s true, then great, and learning with cloud-native technology is perfectly fine. The critical comments were probably made because the post does not indicate that this is just an idea for production architecture or a form of learning, but rather the actual deployment that should be carried out (at least that is how I see it), which in this subreddit could be perceived as a proposal for self-hosting for private individuals (as self-hosting is associated with private individuals).
cichy1173@szmer.info 4 days ago
I started counting, and only with Fargate two ECS tasks (with not much CPU power) and with first Aurora DB it is almost 200 USD per month (in Frankfurt). If we will add another services, the cost will be higher and higher.
Yeah, learning is great and if you will deploy it and kill it in the same day, the cost will be quite low. But if you want to really use it, it is too much, it is better to use hostable alternatives, ie Load Balancer == Haproxy, Fargate Task == Docker on EC2/VPS (even with ECS), Aurora == burstable tier RDS or DB hosted on VPS/EC2. I know, in business area, you should not host DB on EC2 or use clean Docker on EC2 (without ECS) (and that production Nextcloud deployment could be more extended, because availability and scalability is more important that saving some dollars), but in private zone, where every penny is important, it is overkill for everyday use.