Infrastructure - Tag - IT Guy Journals

Building a Portable FastAPI Backend for AWS Lambda and ECS Using Terraform

Luka Krapić — Fri, 02 May 2025 20:59:24 +0100

In the previous post, we explored how to deploy a FastAPI application on AWS Lambda using an ASGI adapter. This is a great option for early-stage projects: it requires zero infrastructure management, supports rapid iteration, and scales automatically.

But as your application matures, Lambda’s trade-offs can become limiting:

Cost scaling with consistent traffic
Compute/memory coupling and lack of vertical scaling
Package size limits and cold starts

That’s why many teams adopt a container-based workflow that can run on both Lambda (via container images) and ECS Fargate. With a little planning, you can build once and deploy to either platform with minimal friction.

Setting Up a Synology NAS for Your Homelab: The Complete Guide

Luka Krapić — Sat, 26 Apr 2025 13:07:10 +0100

When building or expanding a homelab, setting up a Synology NAS is one of several strong options for managing local storage, backups, and remote access. It’s a flexible platform that offers many features typically found in enterprise storage solutions, but in a form factor and price point that’s accessible to home users.

If you’re considering moving more of your important files, services, or backups off of third-party cloud providers and into a system you control, a NAS can be a great fit. (You can read more about why I personally chose Synology here.

Cloud Storage Is Getting Expensive — Here’s Why I Switched to Synology NAS

Luka Krapić — Sat, 19 Apr 2025 19:13:10 +0100

These days, everything lives in the cloud — photos, videos, documents, backups. And for a while, it felt like cloud storage was the perfect solution: easy to access, always backed up, and simple to share with others.

But if you’re like me and deal with a lot of files — especially big ones like videos or high-res photos — you’ve probably hit the same wall I did: cloud storage gets really expensive, really fast.

Tiered Access To CloudFront Content With Self-Signed Cookies

Luka Krapić — Fri, 19 Jul 2024 16:56:47 +0100

This blog post is a follow-up to our previous post, where we implemented tiered access to S3 data using presigned URLs.

In most production applications, CloudFront is used to serve static content to users. In this post, we will explore how to implement restricted access when serving content through CloudFront.

You can find the complete example here.

What is CloudFront?

In simple terms, CloudFront is a content delivery network (CDN) managed by AWS. A CDN is a network of servers deployed close to end users, serving as a caching layer to improve content delivery speed and reliability.

Multi-Account Cloud Deployment With Terraform And Github Actions

Luka Krapić — Wed, 26 Jun 2024 16:56:47 +0100

In this blog post, we will look at how to implement a multi-account deployment pipeline on AWS using GitHub Actions and Terraform.

We will assume that you have access to at least two AWS accounts: one to hold pipeline resources and one target account where resources will be deployed.

Architecture

Fig 1. Architecture

We will use two accounts: a pipeline account and a target account. The target account is your dev/staging/prod account. Usually, there is more than one target account in a given pipeline, but we will use one for simplicity. The same approach can be extended to an arbitrary number of target accounts.

Tiered Access To S3 Data With Presigned URLs

Luka Krapić — Tue, 11 Jun 2024 16:56:47 +0100

Managing access to your Amazon S3 data is crucial for ensuring security and efficiency in your cloud architecture. You typically have three options for managing access to S3 data for client applications: using Amazon CloudFront distribution, leveraging S3 presigned URLs, or routing through backend APIs.

In this blog post, we will delve into S3 presigned URLs as an effective method for implementing tiered access to your S3 data. We’ll discuss their benefits, limitations, and provide a straightforward example to illustrate their use.

Kubernetes Secrets Management Using Kubernetes Sealed Secrets

Luka Krapić — Thu, 23 May 2024 16:56:47 +0100

Security is a major concern in continuous integration (CI), especially when managing sensitive information like API keys, passwords, and other secrets. For Kubernetes resources, Sealed Secrets offer an effective solution for securely managing sensitive information within your repository. In this blog we will explore what are Sealed Secrets, how to use them and some common management tasks around Sealed Secrets.

What are Sealed Secrets?

Sealed Secrets is a set of Kubernetes resources, controller and custom resource definition, that enables secure storage of secrets in your version control system (VCS). Unlike standard Kubernetes Secrets, which are base64-encoded and easily decoded, Sealed Secrets use asymmetric encryption to ensure your secrets remain encrypted until deployed to your Kubernetes cluster. Once deployed, the Sealed Secrets controller decrypts them into regular Kubernetes secrets, making them accessible to your applications.

Securing Kubernetes Cluster With Cert-Manager And Self-Signed Certificates

Luka Krapić — Mon, 06 May 2024 16:56:47 +0100

Kubernetes is an incredible tool for deploying, scaling, and managing containerized applications. One crucial aspect of kubernetes security is ensuring that communication between different entities is secure. By default, kubernetes management network is secure and pod network is handled by 3rd party plugin which mostly support encryption.

Today we will focus on properly securing outside-in web communication to our cluster with Cert-Manager and self-signed certificates. We assume that you have access to working kubernetes cluster with ingress controller.