Hello. This is Hirakiba from the Productivity Improvement Team at Cybozu, Inc.

Our Productivity Improvement Team holds a meeting every Wednesday called "Productivity Weekly" to share tips and news discovered during the week regarding developer productivity improvement.
This article is a summary of the topics discussed then.

This is the 70th issue. Past articles can be found here.

news 📺

AWS Lambda Function URLs: Built-in HTTPS Endpoints for Lambda Functions

https://aws.amazon.com/jp/about-aws/whats-new/2022/04/aws-lambda-function-urls-built-in-https-endpoints/

You can now set up HTTPS endpoints using only AWS Lambda (no API Gateway required). You can configure IAM-based access control, CORS, and more. There are no additional costs. It is already available in the Tokyo region.

The URL format is https://<random-string>.lambda-url.<region>.on.aws/ ^[1].

The article by DevelopersIO (Classmethod) is very detailed. It covers how to receive parameters, settings for cookies, CORS, IAM restrictions, etc.

https://dev.classmethod.jp/articles/aws-lambda-function-urls-built-in-https-endpoints/

By the way, it seems the Serverless Framework already supports AWS Lambda Function URLs, and DevelopersIO quickly wrote an article about that too (their response time is impressive).
https://dev.classmethod.jp/articles/serverless-framework-function-urls/

It's great that we can now easily set up Webhooks for Lambda. I'd like to use this for new functions.

GitHub Action for dependency review enforcement | GitHub Changelog

https://github.blog/changelog/2022-04-06-github-action-for-dependency-review-enforcement/

An official GitHub Action for reviewing dependencies, actions/dependency-review-action, has been released (public beta).

It scans dependency changes in pull requests and warns if any dependencies have vulnerabilities. It supports the package ecosystems supported by the Dependency graph. Internally, it seems to use the dependency-graph/compare API.

It is available for all public repositories and private repositories in organizations with a GitHub Advanced Security license. This increases the value of GitHub Advanced Security.

While Dependabot can also find vulnerable dependencies, it cannot detect them before merging ^[2]. actions/dependency-review-action addresses the use case of wanting to detect vulnerabilities before a PR is merged.

I actually tried it out. I intentionally added an npm package with a vulnerability (async@2.6.3), and it successfully flagged it.

Screenshot of my test: It's flagging "Dependency review detected vulnerable packages."

Being able to detect vulnerabilities before merging is definitely a plus. For example, while some package managers like npm warn during installation, this is useful when using other package managers or when you want to strictly prevent merging.

Required Deployments | GitHub Changelog

https://github.blog/changelog/2022-04-12-required-deployments/

In GitHub, you can now specify Deployments as a condition for Branch protection. This allows you to ensure that a Deployment has succeeded before merging a pull request.

This is a welcome change for those using Deployments. I hadn't used Deployments (or rather Environments) much myself, so I didn't know they couldn't be included in Branch protection conditions. I want to try out Environments properly.

terraform-aws-provider 4.9.0 released, some S3-related errors changed to warnings

https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#490-april-07-2022

In Terraform v4.0, breaking changes regarding the aws_s3_bucket resource were added. Therefore, when migrating from v3 to v4, it was necessary to fix S3-related errors. However, starting from v4.9, errors due to breaking changes in aws_s3_bucket have become warnings.

DevelopersIO (Classmethod) has already published an investigation article on this behavior, and it is recommended to refer to that as well ^[3].

• 【Terraform】Testing the behavior of S3 refactoring in AWS Provider v4.9.0 | DevelopersIO

The article compares the update to v4.8.0 with the update to v4.9.0, and also investigates the behavior when both the existing and new writing styles are used. Apparently, it results in an infinite loop during drift detection.

For projects handling many S3 buckets, the migration work might have been quite tedious and discouraging, but now that they are treated as Warnings, you might feel more inclined to upgrade to the v4 series for now. However, just because they are warnings doesn't mean they should be left as is, so let's all migrate soon.

know-how 🎓

I translated the book "Operations Anti-Patterns" | yuichielectric | note

https://note.com/yuichielectric/n/n45b907b9dd93

This is an introduction article by the translator of the recently released book "Operations Anti-Patterns."

The original book, "Operations Anti-Patterns, DevOps Solutions," was written by Jeffery D. Smith, who has worked on DevOps transformation at several companies. According to the translator, Mr. Tanaka, it is a book for those practicing transformation through DevOps and summarizes what individual engineers within an organization can do.

The article provides an overview of the book and summaries of each chapter (Chapters 2 to 12), giving you an idea of what you can learn from it.

Personally, I'm quite interested in this book from the perspective of increasing the productivity of developers (who might also handle operations) and delivering product value quickly. If you're interested, I recommend reading this article first.

tool 🔨

Released KubeTempura, an OSS for easily testing Pull Requests on Kubernetes

https://engineering.mercari.com/blog/entry/20220408-99abbab0d0/

This is an introduction article for KubeTempura, a Kubernetes Operator that automatically deploys k8s resources triggered by the creation of a pull request. KubeTempura is an OSS developed by Mercari, allowing QA and others to easily test changed code.

The article explains the overview, development motivation (ensuring flexibility, reasons for making it an Operator), and usage (configuration, basic usage, external access methods) in detail.

Automating the creation of pull request environments is a great feature. Since it builds environments from k8s resources that are also used in production, it seems convenient as you don't have to go through the trouble of preparing a verification environment for the application yourself (though some adjustments would likely be necessary). Since it has just been released as OSS and is still in version 0.x, it might be difficult to use in a professional setting immediately, but it's an interesting approach that I'd like to try out.

koneta 🍘

This is a section for topics that I wanted to introduce in Productivity Weekly but didn't have the energy for, or for topics where there wasn't much to say, so I've written just a brief sentence about them.

• news 📺
  • Datadog CI Visibility price reduced
    • Previously, Pipeline Visibility and Testing Visibility were each $20/user/month (annual billing).
    • Pipeline Visibility has been directly reduced in price, and both have changed from "Per user" to "Per committer," making it an effective price cut.
    • I guess many people thought the previous price was high.
  • You can now name your fork when creating it | GitHub Changelog
    • You can now change the repository name when forking on GitHub.
    • Previously, you could only change the name after forking.
• know-how 🎓
  • Receive YouTube channel update notifications and execute Lambda
    • As a method to receive YouTube channel notifications, the YouTube Data API documentation introduces a method using Google PubSubHubbub Hub.
    • The PubSubHubub mechanism is interesting. The name too.
    • Google PubSubHubbub Hub seems to be available for free. Amazing.
• tool 🔨
  • Introducing DuckDuckGo for Mac: A Private, Fast, and Secure Browsing App
    • DuckDuckGo released a browser for macOS, DuckDuckGo for Mac.
    • It claims to provide high-speed browsing by blocking trackers before they load.
    • It uses WebKit, the rendering engine included with macOS.
    • It's still in private beta, so sign up for the waitlist if you're interested.
  • Mizu - API Traffic viewer for Kubernetes
    • An API traffic viewer tool for Kubernetes.
    • Supports multiple communication protocols.
    • Seems useful for troubleshooting and similar tasks.
    • Looks interesting even just to observe.

Afterword

As I mentioned at the beginning, I'm very sorry for the long delay in publication. I've been busy and couldn't find any time to write. Recently, I attended a few in-person study groups, and in-person is really great after all, especially for interacting with others. I was able to talk to some of the people who read these articles, so I want to keep working even harder.

The Productivity Improvement Team at Cybozu carries out activities to improve the development productivity of internal engineers. If you're interested in the team, click the link below!
https://note.com/cybozu_dev/n/n1c1b44bf72f6

omake 🃏

This week's bonus.