Whimsy Space AWS Structure
Whimsy.Space has a simple yet complex server side component hosted on AWS. This document tracks notes about the infrastructure.
URLs
- whimsy.space The desktop/homepage. Created from inside ZineOS.
Published to
My Briefcase/public/zine
. .whimsy.space Displays the user's /public .whimsy.space a clean subdomain for a user. - api.whimsy.space System level API (doesn't exist yet)
- *.api.whimsy.space Run hosted user code as an API, terrifying! (doesn't exist yet)
- All of the above also at staging.whimsy.space for testing.
ACM
To handle all those urls with HTTPS we need a cert, so we create one in ACM. It is simple on the AWS console, add them all in, then click open the expanded descriptions, click the buttons to create the DNS validations in Route53. This same cert should work for CloudFront, API Gateway, anything else.
S3
Hosts all user files in the whimsy-fs
bucket .
https://console.aws.amazon.com/s3/buckets/whimsy-fs/?region=us-east-1
The files are organized by user specific folders like us-east-1:e4d94092-1099-4c4d-aa01-1dbbf7e1f1df/
with permissions to only write to their own folder specified in Cognito User Pool rules.
Users have a public
folder like us-east-1:e4d94092-1099-4c4d-aa01-1dbbf7e1f1df/public/
.
This bucket policy makes those files publicly available:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::whimsy-fs/*/public/*"
}
]
}
The My Briefcase
uses the AWS clientside SDK to allow users to authenticate
from the browser. Those credentials are used to write to the S3 bucket and
manage the files in their subfolder.
This has been successfully in use for years and is fairly simple, stable, and robust.
Further experimentation
Well known urls like /public/whimsy.space/profile.json that can be updated by ZineOS apps. This will provide user specific metadata that can be loaded from clients when referring to a user. For example if a user adds software to a catalog they can link it to their id and clients can then view their profile.
DynamoDB
Currently experimental. The goal is to have a table in DynamoDB with similar per user permissions so that users can manage key value data. This could include things like configs or other meta-data that should be synced across acounts.
Can also hold system configuration for ZineOS.
CloudFront
Serves the whimsy.space domain. Eventually will also provide a caching layer to API Gateway.
danielx.whimsy.space is currently hosted on a separate CloudFront. This is left over from testing out if it would be feasible to host all users on a CloudFront (probably not). It also provides a performance boost over the current Glitch based proxy.
Cognito
Cognito User Pools hold logins for ZineOS users. This is a critical component as it has the policies that allow users to write to S3 + DynamoDB
Lambda + API Gateway
Handles uploads and payments for Paint Composer.
Experimenting with a proxy to map subdomains to the S3 public subfolders.
Longer term will handle ZineOS APIs, software catalog, and host user created services.
Further exploration: It should be possible to get the requesting user and hosting user at the API Gateway layer. This can be used to configure a lambda to track usage, provide user to user metered APIs.
Further exploration: Websockets and OT could enable really cool collaborative experiences.