github action notes

ci / integration :

build

test 

merge

cd / delivery :

auto release to repository

cd / deployment :

auto deploy to production

=====

ci = pass test

cd = deliver code to production

======

## gitactions

1 create workflow = superlinter.yml

// linter = run check codes that meet specific criteria or standard

=======

## workflow

terdiri dari 5 :

1 event

2 jobs 

3 runner 

4 steps

5 actions

1 event = trigger for workflow 

- example: when someone push new code 

// contoh event di yaml file :

on: push 

^ bakal jalanin isi dari jobs 

2 jobs = jobs todo 

jobs:

super-lint:

    name: Lint code base

    runs-on : ubuntu-latest         // runner => container 

    steps:

- name: checkout code

    uses: actions/checkout@v2        // check our code

- name: Run Super-Linter

  uses: github/super-linter@v3      // run linter 

  env:

    DEFAULT_BRANCH: main

3 runner = container yg buat jalanin obs

runs-on : ubuntu-latest 

## by default github runs our code in github environtment 

## ada ubuntulinux / windows / mac 

4 steps = declare berapa jumlah step yg akan dijalankan 

stepnya jalanin linter**

=========

superlinter support multiple linter ( understand multiple language )

===========

awal bikin workflow penamaan penting

mygitactions/.github/workflows/superlinter.yml     // in main 

## trs di commit ke main branch

=========

## msk ke <> code 

## check status icon 

check pass = turn green 

check fail = turn red

atau ke actions tab 

=============

CD

klo udah ci pipeline selesai dan image dipush ke registry saatnya bikin cd.

create new repo.

isinya config repo :

- kubernetes manifest / docker compose

push ke test/QA env --> dimonitor pake prometheus / grafana 

prometheus = script metric from app

grafana = qa bs visualize change, check latency, check kpi 

biasanya ada 3 cd stage:

test/qa

staging  : pretend as production. testing live stage

production : customer access 

==============

push model:

registry -> dipush ke 3 stage ( kubectl apply ) -> dimonitor pake prometheus / grafana

pull model:

argoCD diinstall di tiap kubernetes cluster 

argoCD = cek state repository, cek state masing2 cluster ( di pull ) 

klo di cluster ada perubahan lgsng ngecek dan ngasih tau klo out of sync

bs otomatis di sync sama si agro atau manually triggered

otomatis sync test/qa env dengan staging env via argo CD

fungsi argoCD : sync dan ngecek state

============

// argo rollout canary deployment

user --- loadbalancer --- app ( kubernetes pod ).

90% traffic

user --- loadbalancer --- app v1

|

|        10% traffic

--------- app v2

90%

10%

80%

20%

**mindahin traffic ke versi baru sampe smuanya pindah ke versi release yg baru

podnya** jg dari aplikasi yg lama dipindah ke app yg baru 

==============

Route 53 DNS Note

 

// dns 

translate domain names to ip address

===========

// domain registrar.

domain di register via interNIC == service provided by ICANN / internet corp for assigned names and number

- klo udah diregister nanti datanya masuk di WhoIS database

contoh domain registrar:

- hostgator

- godaddy

- domain.com

- aws 

- namecheap 

- bs bayar service tambahan biar dnsnya ke private

============

// top leveldomain

- word  terakhir di domain name 

contoh : .com  .ac .academy .aaa   .abb

bs dicek di availability database:

www.iana.org/domains/root/db 

^ aws cuma top level domain .aws

===========

// second level domain 

- 2nd word  setelah domain name

contoh:

toro.co.id  //  co = 2nd level domain 

===========

// Start of authority  

tiap domain hrs punya SOA record yg bs provide informasi tentang domain.

contoh: 

- seberapa sering diupdate

- admin email 

1 zone file cuma bs contain 1 SOA Record.

format:

[authority-domain] ---- [domain-of-zone-admin] ----- [  zone-SN ] ----

[refresh-time]    ---- [ retry-time] ---- [ expire-time ] ----

[negative caching TTL]

contoh:

ns.example.com. hostmaster.example.com. 1

7200 900 1209600 86400

aws example:

ns-415.awsdnns-51.com. awsdns-hostmaster.amazon.com. 1

7200 900 1209600 86400

===========

// A Record

A record :  buat convert nama domain directly ke ip address.

{

"ResourceRecordSets":[

{

"TTL":300,

"Type": "A",

"Name": "testing-domain.com",

"ResourceRecords" : [

{ "Value": "202.169.228.1" }

]

}

]

}

===========

// cname

- resolve one domain  name to another rather than ip address

- klo dipasang cname, kita bs ubah A record tp pointing cnamenya tetep sama.

{

"ResourceRecordSets":[

{

"TTL":300,

"Type": "CNAME",

"Name": "testing-domain.com",

"ResourceRecords" : [

{ "Value": "wwww.testing-domain.com" }

]

}

]

}

=========

// NS 

digunakan oleh top  level domain buat direct traffic ke dns server yg merupakan

authoritative DNS record. 

- bs bikin multiple name server buat redundancy 

- klo kita bikin dns record pake route53, NS Record buat domain kita bakal pointing ke AWS  Servers.

{

"Type": "NS",

"ResourceRecordSets":[

{

"Name": "testing-domain.com",

"TTL":172800,

"ResourceRecords" : [

{ "Value": "ns-245.awsdns-30.com." },

{ "Value": "ns-523.awsdns-30.net." },

{ "Value": "ns-1586.awsdns-30.co.uk." },

{ "Value": "ns-1373.awsdns-43.org." },

]

}

]

}

========

// TTL

waktu yg diperbolehkah oleh dns record buat di  cached di server / user local machine 

semakin pendek nilai ttl,  semakin cepet changes  dns record propagate accross internet

=========

// route 53

- high available and scalable  cloud DNS.

- register and manage domain

- create dns routing rules / failover 

- lebih ke sinergy ddengan  aws services

- bs register and manage domain

- create various record set on domain

- implement complex traffic flows

- continous monitor record via health checks

- resolve vpc diluar AWS

=========

// route 53 record sets

- buat pointing  naked domain dan subdomain via domain record

A record => pointing ke spesifik ip 

===========

// alias record aws

- extends dns functionality

- route traffic to  specific AWS Resources

- alias record bs detect  change ip addr dan keep state ip  dari endpoint pointed to correct resources

- dipake kl mau ngeroutingin traffic kedalem AWS Services

==========

//  routing policies

ada 7:

1 simple routing

- default. multiple address = result in random selection

2 weighted routing

- routing berdasarkan weight buat split traffic

- misal : 80% traffic to server 1 , 20% to server 2 

3 latency based routing

- routing traffic ke region dengan lowest latency

- ga peduli geographicnya adda dimana, yg penting ms terkecil yg dipilih 

4 failover routing

- route traffic klo primary endpoint = unhealthy  => lempar ke secondary endpoint

- buat bikin active - passive situation

- auto monitor health check from primary 

5 geolocation routing

- route traffic based on location  of users

6 geo-proximity  routing

- route traffic berdasarkan lokasi resource and optionally  shift traffic from resource in  one location to resources in anothers

7 multi-value answer routing

- respond dns queries up to 8 healthy record ( random selection ) 

- mirip kyk simple routing policies tp ditambahin ++ health check

=========

// route 53 - traffic flow

- visual editor. lets u  create multiple routing config for ur resource using existing routing types

- support versioning for rollback

- 50$ per policy record per month

=========

// health check

- tiap 30s by default. bs dicustom tiap 10s.

- kita  bs  pasang cloudwatch alarm buat alert status unhealthy

- health check bs di chaining. bs monitor other health  check to create a chain of reactions. up to 50 single aws account 

=======

// route 53 resolver  ( .2 resolver )

- regional service yg bs route dns queries between vpc and network 

- dns resolution buat hybrid environtment ( on prem dan cloud )

ada 3 

-  inbound and outbound

-  inbound only

-  outbound only

=======

VPC Note

 // VPC

default ip vpc = 172.31.0.0/16

==========

// cara create vpc

1 select region

2 creating vpc

vpc > create vpc > ipv4 CIDR block       =>  masukin ip range yg ingin diallocate

^ nanti ke create vpc id

^ auto muncul route table

^ auto muncul nacl 

^ dns hostname = default disable

===========

// connect vpc to internet

1 create internet gateways

internet gateways > create internet gateway

- input name tag : ig-1

^ ketika di create status akan detache. nanti bs di attach ke vpc yg udah di create.

2 attach internet gateway ke vpc

internet gateways > actions > attach a vpc 

- select vpc id yg ingin di attach

3 add route table agar dapat rute ke internet

internet gateways > route table  > create route table

- name tag: route_to_internet

- vpc : select existing vpc

4 set main route table

route table > actions > set main route table 

5 edit route table add 0.0.0.0/0

routes table > edit routes > add route

destination = 0.0.0.0/0  

target = ( select internet gateway ) 

6 edit subnets 

// create plg enggk 2 atau 3  di az yg berbeda. biar ada HA nya.

subnets > create subnets >

- edit name tag

- select vpc 

- select AZ

- edit bagian ipv4 CIDR block ( size nya hrs lebih kecil / bagian dari vpc CIDR ) 

// create 3 public ip v4 cidr :

10.0.1.0/24

10.0.0.0/24

10.0.2.0/24

^ action => edit auto-assign public ipv4 address : yes

// create 1 private ip v4 cidr :

10.0.3.0/24

// create route table baru buat segmen ip private

- route tables > create route table > private_ip_route

// set route table association

subnets -> edit route table association 

- edit route table id 

- ganti ke private

- save

==========

// create ec2

- services > ec2 > instances > launch instances

select platform ( biasanya pake amazon linux 2 ami ( hvm ) => buat public subnet ) 

- select t2.micro

- network = select vpc network yg udah dicreate

- subnet = select public subnet yg telah di create

- create new IAM role 

buat bikin permission akses ke s3

^ select ec2 > bagian filter policies filter ssm  ( amazonec2RoleforSSM )

^ bagian filter policies filter s3  ( amazonS3FullAccess )

^ kasih role name > create role 

- select new IAM role

// optional

bagian advanced details bs input script buat bikin web server

- storage => biarin default dl

// configure security group

- create new sec group > security group name = ec2-sec-group1

open port ssh

open port http

- edit source yg buat allow 

// create ec2 key pair

- digunain untuk remote access menggunakan key. agar lebih secure.

// security group => by default deny

// kita bikin rule buat allow services

==========

// create ec2 buat private subnet

sama stepnya kyk yg diatas tp subnetnya bedain. => select yg private

=========

// edit nacl

- bs buat block specific ip address

- nacl adanya di subnets

Subnets > select subents > liad dibawah ada menu Network ACL > edit

- select inbound rule > add rule           // lowest to highest

- add rule 10 > source : ip_private/32  > deny 

========

// cara connect dari luar ke private subnet

// bs pake jumphost atau bastion ( cari di market place ) 

^ buat remote browser ssh ke private instance. biar lebih secure

^ jumpbox = hardened instance 

^ bs dikasih google authenticator / mfa

^ bs screen recording 

^ ada audit log 

^ alternativenya bs pake session manager tp ga ada screen recording

- instances > launch instances > aws marketplace > guacamole bastion host

- edit bagian network dan subnet

- edit policies > filter guaws

- create role > ec2 > filter > ec2readonlyaccess

========

NAT Gateway Note

 // nat

1 dipake buat koneksi private ip  ke internet

2 dipake klo ada ip private network yg bentrok / sama dan ingin koneksi keluar

============

// nat instances vs nat gateway

nat instances = individual ec2 instance.

- bs down nat instances

- mesti bikin lebih dr 1 

// nat gateways

- manage service which launches redundant instances within the selected AZ.

- di manage sama aws

- ada redundansi dibalik layar. aws yg manage.

** nat instances hrs ada di public subnet.

ec2 -> ada di private subnet

^ semua nat jalan per AZ

=========

// nat instancce and nat gateway note++

// note nat instance

- pas bikin  nat mesti disable source and destination checks di instance

- nat instances mesti ada di public subnet

- hrs ada route out dari private subnet ke nat instance 

- ukuran nat instance determine seberapa besar traffic bisa dihandle

- high availability bs pake autoscalling group, multiple subnet di AZ yg berbeda, dan automate failover pake script   =>  lebih repot dibanding nat gateway

// note nat gateway

- bersifat redundant didalam sebuah AZ.

- cm boleh punya 1 nat gateway didalem 1 AZ / ga bs dispan

- start dr 5Gbps dan bisa discale up ke 45Gbps

- Nat Gateway dipake buat enterprise

- ga perlu ngepatch nat gateawy. ga perlu disable source/destination checks 

- nat gateway otomatis diassign public ip

- route tables for nat gateway mesti di update

- resource di multiple AZ sharing gateway will  lose internet access if gateway goes down, unless u create a gateway in each AZ and configure  routes accordingly

========

Security Group Note

 // security group:

virtual firewall at instance level

========

- inbound  rulle

- outbound rule

- no deny rules. all traffic blocked by ddefault unless a rule specifically allow it

- multiple instances across multiple subnet can belong to security group

=========

- bs specify /32 atau specific ip adress

sg web app ->  db via ip

- bs specify another sec group

sg web app ->  db via sec group

- instance bs diapply multiple security group ( nest ). rulenya jadi permisive.

awalnya deny trs di apply sec group k2 allow. jadi allow 

=========

// sec group limit

can have up to 10k sec group in region. // default 2500

can have 60 inbound rule and 60 outboundd rule per sec group

16 sec group per elastic network interface ( default is 5 ) 

========

- firewall at instance level

- sec group are stateful. // if traffic is allowed inbound, it is also allowed outbound

- unless allow spec, all inbound traffic is blocked by default

- all outbound traffic from the instance is allowed by default

- source specify can be either ip range, single ip addr or another sec group

- any changes effect immediate

- ec2 instances can belong to multiple sec group

- sec group can contain multiple ec2 instance 

- ga bs block specific ip via sec group

AWS NACL NOTE

NACL = Network Access List 

NACL: an optional layer of security that act as a firewall for controlling traffic in and out of subnet

- virtual firewall at subnet level

- vpc auto get a default nacl allow all outbound and inbound traffic

- tiap subnet cm boleh associated dengann 1 nacl. klo ad alebih dari 1 bakal nge overwrite previous rule sblmnya

- tiap nacl ada  rules allow atau deny traffic inbound (into ) and outbound ( out of ) subnets

- nacl ada inbound dan outbound rules 

- ada rule number #  => determine order of evaluation. from lowest to highest.   0 - 32766.  // recomended increment 10 / 100

- bs  block single ip adress ( ga bs klo pake security groups )

- ada allow / deny

- stateless

- deny all  traffic by default when create nacl

===================

// nacl use case -- subnet level

- block single ip address from internet

- block incoming all ssh port

=============

AWS VPC Note

 VPC / Virtual Private Cloud

- VPC = personal datacenter

give complete cotrol over virtual networking environtment

region > vpc > AZ > 

public / private subnet ---- security group --- ec2 instance / rdsDB --- nat ---

NACL --- Route table --- router --- IGW --- internet

================

// VPC Key Features

- vpc are region specfic // ga span across region

- bs create 5 vpc per region

- tiap region ada 1 default vpc

- bs create 200 subnet per VPC

- bs make ipv4 cidr block + ipv6 cidr block 

features cost nothing:

vpc

route table

NACL

internet gateway 

security group and sunet

VPC Peering

features cost money :

NAT Gateway

VPC edpoint

Vpn gateway

Customer gateway

DNS hostname ( klo instance butuh dns )

============

// default vpc

- ada default vpc di tiap region sehingga bs immediate deploy instance

1 create vpc with size /16 cidr block.

2 create a size /20 default subnet in each AZ

3 create internet gateway and connect it to default vpc

4 create default security group and asssociate with default VPC

5 create default NACL / network access control list and associate with default VPC

6 associate default dhcp option to default vpc

7 when vpc created = auto create route table

===========

0.0.0/0 = all possible ip address.

klo specify di route table for IGW = allow internet access 

klo specify 0di security group inbound rules = allowing all traffic from internet to our public resources

0.0.0.0/0 => giving access from anywhere or the internet

==========

// VPC peering

- allowing connect one vpc with another over a direct route using private IP Address

1 instance on peered vpc behave like they are on same network

2 able to connect vpc across same or different aws account and regions

3 peering use start configuration:  1 central vpc - 4 other vpc

4 no transitive peering ( peering must take place directly between vpcs )

- need a one to one connect to immediator VPC

5 no overlapping CIDR block

VPC A = 10.0.0.0/16

VPC B = 172.31.0.0/16

   VPC PEERING CON

VPC A 10.0.0.4/32  ---------------  VPC B 172.31.0.8/32

==========

// route table

- route table = determine where network traffic is directed

- tiap subnet d vpc mesti ada route tablenya.

- 1 route table bisa berisi multiple subnet

destination target

10.0.0.0/16 local

0.0.0.0/0 igw-19asda21312ifsd

public subnet --- route table ---- router --- igw --- internet 

===========

// internet gateway ( IGW )

- allow vpc access ke internet

fungsi:

1 provide target didalem vpc buat ngeroute ke internet

2 melakukan NAT buat instances yg telah diassign public ipv4 IP

BUAT NGEROUTE KE internet mesti add ke routing table 

destination = 0.0.0.0

target = igw

(route table) ---- router --- IGW --- internet 

==========

// bastion / jumpbox

bastion = intermediate ec2 instances yg telah di hardening. // bs buat jump jalur traffic remote dari internet ke private ec2 ip

- help gain access ke ec2 instance via SSH / RCP yg ada di private subnet

** bastion ga boleh pake NAT ( security purpose ) 

// nat gateways

- nat gateway : penggunaan nat gateway digunakan agar ec2 instances dapet akses ke outbound internet for security updates

** bastion bs direplaace pake Session manager ( ada didalem system manager )

==========

// direct connect

- aws direct connect : establish dedicated network connection from on premises location to AWS

- help reduce network cost

- increase bandwidth throughput 

- provide more consisten network experience than typical internet based connection

++ very fast network  

ada 2 service:

1 lower bandwidth 50M-500M 

2 higher bandwidth 1gb / 10gb

on premises customer ---- customer/partner cage ( router ) ---- aws cage ( router ) ---- vpc / ec2 

aws direct connect = router ditengah2 ( customer / partner cage dan aws caage )

=========

// vpc endpoint

- secret tunnel inside private network aws

- privately connect vpc to other AWS service, and VPC endpoint services

- eliminate the need for an internet gateway, NAT, VPN or AWS Direct connect

- instance in vpc ga perlu public ip address buat ngobrol dengan service tertentu

- traffic antar vpc dan other service ga akan bs keluar dari aws network

- horizontal scaled, redundant and high available VPC component

- allow secure communication between instance and service without adding availability risk or bandwidth constraint on ur traffic

// ga perlu route traffic via internet buat akses service tertentu

VPC -- VPC endpoint --- s3 bucket 

2 tipe vpc endpoint :

1 interface endpoint

2 gateway endpoint

// interface endpoint 

- disebut ENI / elastic network interface with private ip address.

entry point for traffic going to a supported service.

interface endpoint are powered by AWS PrivateLink

- access service hosted on AWS easily and secured by keeping network private within AWS network

// ENI Cost 

price per vpc endpoint per az $/hour = 0.01

price per GB data processed ($)  = 0.01

estimated 7.5$ / month

ENI support following service:

API GW

cloudformation

cloudwatch

kinsesis

sageMaker

Codebuild

AWS Config

EC2 API

ELB API

AWS KMS

Secret manager

security token service

service catalog

SNS

SQS

System Manager

Marketplace partner services

endpoint services in other AWS accounts

// vpc gateway endpoint

- gateway that is a target for a specific route in ur routing table

- used for traffic destined for a supported AWS Service

buat bikin gateway endpoint mesti specify vpc dan target service yg mau diestablish connectionnya

aws gateway endpoint only support 2 service:

1 S3

2 DynamoDB

** vpc endpoint is free

=========