Whimsy Space AWS Structure

Whimsy.Space has a simple yet complex server side component hosted on AWS. This document tracks notes about the infrastructure.

URLs

• whimsy.space The desktop/homepage. Created from inside ZineOS. Published to My Briefcase/public/zine.
• .whimsy.space Displays the user's /public
• .whimsy.space a clean subdomain for a user.
• api.whimsy.space System level API (doesn't exist yet)
• *.api.whimsy.space Run hosted user code as an API, terrifying! (doesn't exist yet)
• All of the above also at staging.whimsy.space for testing.

ACM

To handle all those urls with HTTPS we need a cert, so we create one in ACM. It is simple on the AWS console, add them all in, then click open the expanded descriptions, click the buttons to create the DNS validations in Route53. This same cert should work for CloudFront, API Gateway, anything else.

S3

Hosts all user files in the whimsy-fs bucket .

https://console.aws.amazon.com/s3/buckets/whimsy-fs/?region=us-east-1

The files are organized by user specific folders like us-east-1:e4d94092-1099-4c4d-aa01-1dbbf7e1f1df/ with permissions to only write to their own folder specified in Cognito User Pool rules.

Users have a public folder like us-east-1:e4d94092-1099-4c4d-aa01-1dbbf7e1f1df/public/. This bucket policy makes those files publicly available:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::whimsy-fs/*/public/*"
        }
    ]
}

The My Briefcase uses the AWS clientside SDK to allow users to authenticate from the browser. Those credentials are used to write to the S3 bucket and manage the files in their subfolder.

This has been successfully in use for years and is fairly simple, stable, and robust.

Further experimentation

Well known urls like /public/whimsy.space/profile.json that can be updated by ZineOS apps. This will provide user specific metadata that can be loaded from clients when referring to a user. For example if a user adds software to a catalog they can link it to their id and clients can then view their profile.

DynamoDB

Currently experimental. The goal is to have a table in DynamoDB with similar per user permissions so that users can manage key value data. This could include things like configs or other meta-data that should be synced across acounts.

Can also hold system configuration for ZineOS.

CloudFront

Serves the whimsy.space domain. Eventually will also provide a caching layer to API Gateway.

danielx.whimsy.space is currently hosted on a separate CloudFront. This is left over from testing out if it would be feasible to host all users on a CloudFront (probably not). It also provides a performance boost over the current Glitch based proxy.

Cognito

Cognito User Pools hold logins for ZineOS users. This is a critical component as it has the policies that allow users to write to S3 + DynamoDB

Lambda + API Gateway

Handles uploads and payments for Paint Composer.

Experimenting with a proxy to map subdomains to the S3 public subfolders.

Longer term will handle ZineOS APIs, software catalog, and host user created services.

Further exploration: It should be possible to get the requesting user and hosting user at the API Gateway layer. This can be used to configure a lambda to track usage, provide user to user metered APIs.

Further exploration: Websockets and OT could enable really cool collaborative experiences.