How to add if statements to your CloudFormation CDK templates

I recently came upon a situation where I was building an application using AWS CDK (Which is a package that allows you to write Typescript code that compiles to a CloudFormation template) and I needed to reference a bucket in the template, but the bucket name would be different in Beta versus in Prod. I naively thought I could just do this:

// Don't use this, this code doesn't work
const stage = new cdk.Parameter(this, "Stage", {
  default: "beta",
  type: "String"

const bucketName = stage === "prod" ? "app-prod-bucket" : "app-beta-bucket";
const Bucket = s3.Bucket.import(this, "AppBucket", {

The mistake I made is forgetting that CDK is compiled into CloudFormation templates, so when I run cdk synthesize it takes this code, evaluates it, sees that the variable stage is currently not set (because it’s provided at runtime), and compiles the string “app-beta-bucket” into the template.

Then when running this compiled template it doesn’t matter what the parameter Stage is, that if statement has already been compiled out and it’s always going to set the bucket name to “app-beta-bucket”.

To fix this you need to use CloudFormation Conditional Statements, like so:

const stage = new cdk.Parameter(this, "Stage", {
  default: "beta",
  type: "String"

new cdk.Condition(this, "UseProdBuckets", {
  expression: cdk.Fn.conditionEquals(stage, "prod")

const bucketName = cdk.Fn.conditionIf(

const Bucket = s3.Bucket.import(this, "AppBucket", {

Now your if statement will be compiled into the template and the bucket name will change depending on the value of the “Stage” parameter


2017 Year in Review

So it’s been a while eh. 16 months since my last update, that’s almost a record. I’ve been procrastinating writing my 2017 year in review for about 8 months now, because as you may have guessed, I didn’t accomplish many of the things I set out to do. I’ll have more to say about work ethic and reflecting on my reasons for failing to meet my expectations soon, but I must get this post out before midnight or I’ll be fined $50. I’ve found having a monetary fine has been one of the best ways to stick to my goals, even if it does cause me to rush at the last minute.

So what did I accomplish out of my monthly goals for 2017? and what am I planning to do in the future?

Paper Towers

I’m happy to report that this goal was completed and you can find the open source Tower Storm here. There’s still a LOT more I’d like to do with this game and codebase such as moving to ES6 instead of CoffeeScript, adding a map editor, removing the dependency on RethinkDB, and making it simpler to setup a server (a docker based setup would be sweet). I also want to release videos walking through the codebase (which I did record and put on Twitch, but it looks like they disappear after a few weeks?). I ended up keeping the name Tower Storm because I already owned the domain and social media pages and I still love the name.

Learn Spanish

This I also somewhat accomplished. I took lessons on italki for a while which were incredibly helpful and accelerated my skills far faster than Duolingo, though both together was a good combo. My girlfriend spent the summer of 2017 in Ecuador doing her masters thesis and I was able to visit for a week and somewhat navigate my way around with the Spanish skills I’d learnt. I could barely hold a simple conversation with someone who spoke slowly and clearly.

Krav Maga

I ended up doing Krav Maga for a year, and it was fun. I learnt a lot and feel like I could defend myself in a bar brawl, but would still have trouble against someone with any kind of weapon. The classes were intense and really pushed my body to the limits, including one I had to bail on half way through because I was close to passing out (probably shouldn’t have done it after not eating for 8 hours). The only downside was there was a long period where I could only take basic classes which was frustrating. There was some special training you had to do to take advanced classes where you actually spar’d with other people, and there were no classes for this coming up for months. I’ve stopped doing Krav Maga at the moment but I may pick it up again in the future.

Study Time

Unfortunately I barely started on Study Time, BUT I did have a big breakthrough in how this would work. For the longest time I’ve been wanting to build a peer to peer social network (it was in my bundle of ideas but didn’t make the top 10 list because I didn’t think I was skilled enough to pull it off). This social network would have no central servers, just everyone hosting some small portion of the data and sharing it with everyone else. Anyway I’ll delve into this deeper in another post but I found a network that is basically this called Scuttlebutt, and using this same technology I think it’ll be possible to build the API’s for the metadata about each lesson / course on top of this network. Then anyone will be able to load up the application, download metadata about courses off other students, and when viewing the videos stream them via torrents. I’m super excited about this and want to try and pull it off again soon, I feel like the pieces are available I just need to put them together.

Learn the Cello

I did this one! For 6 months I learnt the Cello last year, and it culminated in being able to play a (pretty crappy) rendition of the red wedding theme song from Game of Thrones. I stopped after 6 months because I wanted to dedicate time to other projects, but I would like to pick it up again one day.

Educational Honesty, Reverse giving charity, Build a Farmbot, Web Basic, Mass Reforestation

Unfortunately I didn’t even make a start on any of these projects (well, there was some research, but nothing created). Which is a bit of a disappointment. I feel like I got too distracted by my work at Amazon towards the end of the year (with AWS Cloud9 being released) and put everything on hold and slowly forgot about them.

I will be building a FarmBot later this year, I finally have balcony that gets enough sun that this is possible. I’m not sure about the rest of the projects, they’re things I would love to see in the world but don’t quite fit my optimum hedgehog intersection. I’ll be reviewing my ideas backlog and coming up with some further ideas for this year soon. I’ll also be utilizing this monetary fine mechanism to ensure I post more and share my ideas more on this blog, because they’re not going to happen when they’re tucked away in my private notes.

So I accomplished 4 out of 10 ideas I wanted to do last year, which isn’t bad, but I can do better. I’ll be creating my list of goals for the next year soon and taking all my lessons from the last 18 months into account when doing so. At the very least I learnt a ton, and that’s my motto for life: Always be Learning. It’s not about where you are but where you’re going and how fast you’re getting there. If you have ideas or feedback for me, let me know. Last of all: enjoy life, and don’t forget to be awesome.


Projects Status Update – April 2017

I unfortunately procrastinated the March status update so much that it has melded into the April update. Over the past 2 months I’ve been working on 4 of my 10 Projects for 2017. Those 4 are: Paper Towers, Spanish, Krav Maga, and learning the Cello. My current core focus is learning the Cello and I’m spending 3 – 4 hours a week on the rest.

Paper Towers (Now Tower Storm again)

Firstly I decided to stick with the name Tower Storm instead of re-branding this project as Paper Towers. I’m proud to say that Tower Storm is finally Open Source!. I spent around 30 hours in the last 2 months removing all copyrighted graphics and sounds from the game, and cleaning up the code so it’s easy for anyone to run and make modifications. I finally pulled the trigger a few hours ago and put it up on Github. I also did my first open source development stream, if you’re interested in seeing how I develop Tower Storm, how to mod it yourself, and my thoughts on programming in general you can follow me on Twitch.


As of the 21st of April I was up to a 25 day streak on Duolingo doing at least 30 minutes of spanish a day (50xp per day). Unfortunately I lost that streak, but I will be continually learning Spanish on Duolingo over the next year. Alongside that I’ve been watching movies, LoL games and random Youtube videos in Spanish. I’ve also switched my PC and Phone to use Spanish as their default language. Every little bit of learning helps.

Krav Maga

I signed up for Krav Maga 2 weeks ago and so far have done 6 classes. I’ll probably continue this 3 times a week schedule. So far we’ve practiced basic punching, hammer fist, kicking, roundhouse kicks, getting out of chokes, and defending yourself when you’re on the ground. I’m really enjoying it so far, it’s useful, it’s a ton of fun fighting as hard as you can (into pads) and it’s a great workout. I hadn’t been punched in maybe 15 years and it’s an eye opening experience, and made me realize I have to toughen up a lot if I want to survive a real life fight.


To celebrate the open sourcing of Tower Storm and the down-winding of that project I went out and hired a Cello for 3 months. I’ve only had it a week now and haven’t had lessons yet. I bought a beginners book and have been teaching myself how to play with that and YouTube tutorials. I’m excited to report that I can already play the beginning of the Rains Of Castamere song! Albeit with a lot of squeaks and quite slowly. I can’t wait to learn more.

So that’s it. I’ll be continuing to focus on these 4 activities until at least the end of May whereupon I may start on another depending on my progress and time available.


One project every month

I constantly have ideas of software I want to build, skills I want to learn, sites I want to create. I’ve been writing these ideas into Evernote since 2009. The problem is I often start working on an idea but give up a week or two later when something else comes along. Life is too short for that, so now I’m going to get focused.

A few months ago I started organizing all these ideas on a Trello board to figure out how I want to spend the next 5 years of my life.

I had 125 ideas in total, which I’ve whittled down to my 10 favourite. This year I’ll be spending 1-2 months building a prototype or learning the basics of each. Then at the end of the year I should know what I want to spend a few years focusing 100% of my energy on.

My top 10 ideas for 2017 are:

Paper Towers

This is the open source version of Tower Storm. My original vision for Tower Storm is a Tower Defense game with as much depth as DOTA. Unfortunately this scope is far too huge for an indie company. However it has one major strength: It’s a web game that doesn’t require compiling and is configured through JSON scripts. So if I open source it others can build their own TD games using this engine / framework. They can make maps, minions, towers, game modes and more and share them around and help each other, and it can turn into something much bigger and more fun than I could produce by myself. I’d love to see what the community creates once this is released.

Learn Spanish

I’m currently at a level where I can hold a basic conversation. I want to get to a level where I can start thinking in Spanish and be able to hold ongoing conversation consisting of more than introductions and small talk.

Krav Maga

This is mostly about self defense, and hopefully it’ll be a lot of fun too. My first lesson is this Monday.

Study Time

Think Popcorn Time for MOOC’s. Software where you can learn anything you desire and it’s completely peer to peer and streamed via torrents. This way knowledge and lessons can live on forever even when MOOC sites take down their courses or shut down.

Learn the Cello

I’ve learnt the Clarinet and Tenor Sax, but have yet to figure out a stringed instrument. I love the sound of a Cello and my goal is to play the Rains Of Castamere.

Educational Honesty

I’ve been reading Amusing ourselves to death, it was written in 1985 and is absolutely on point with how woefully unintelligent public discourse has become on topics that we should be taking seriously. I want to build a site focused on educating, not influencing. A place where intelligent debate is praised, and all opinions are considered. Twitter, Meme’s and the comment sections on most websites are what I consider “Information junk food”. We had a crisis with actual Junk food in the 70’s, 80’s and 90’s, but if you look around recently you’ll notice these trends are reversing, people are now eating healthier and taking better care of their bodies. We must now do the same with our brains. I believe with good information we can do just that and live healthier mental lives, just like how we fought back against real junk food.

Reverse giving charity

It’s well known in psychology that if you get given a gift you feel more obliged to give back in return, this is why food samples and waiters giving mints at the end of a meal work so well. I’d like to try a charity built around this idea. Imagine giving people free coffee from countries in Africa or South America, and included with that is information about the country it came from, the issues it faces, and how you can help fix those issues, via donations or spreading the word. I think you’d have much more success garnering support in this way than the usual begging on the street, and so want to try it out. I may join an existing charity or start my own (depending on difficulty).

Build a Farmbot

The Farmbot is one of the coolest pieces of technology I’ve ever seen in my life, and it’s completely open source! I’d like to try building one of these from scratch and helping refine their wiki with information on where to source parts and fixing bugs and issues with the documentation or software. Imagine if we could get Farmbot cheap enough and reliable enough that anyone can homestead and get the basic food they need to live completely free.

Web Basic

I recently read an article on how q-basic is still the best beginners programming language, and I have to agree. Q-Basic was the language I started with when I was 11 and it makes far more sense to non-coders than most other languages. But installing q-basic, compiling, and sharing programs is not so beginner friendly. So why not bring Q-Basic to the web. Imagine if you could create a new Cloud9 project and just start coding in Q-Basic, hit run, and the program is compiled to Javascript and rendered using Canvas. Kids could start learning and coding in seconds and send their projects to friends minutes later (just send them the preview link!). This social feedback loop could bring so much joy to kids and lowering that barrier to entry could entice many new kids to learn coding that had never considered it before.

Mass Reforestation

We’ve had mass deforestation for 100 years now and the effects have been devastating. Now we need to reverse this process, but how? With drones of course! Imagine if we could create a drone that surveys a piece of land, uses AI to figures out the perfect combination and density of trees and fauna to re-invigorate that land, and then goes ahead and does it all by itself. The technology is available now, we just need someone to compile the knowledge build the software. The mass reforestation site will share ideas and technology on the latest efforts to reforest the world so that everyone can take part. Eventually with enough people and drones out there we’ll be able to accomplish mass reforestation.

What about the other 115 ideas?

I still really want to see them happen, I’m just not particularly excited about doing them myself. So I’m going to share them here on this blog, please steal them as I post them and help make the world a better place 🙂


Back to WordPress

I gave Ghost a good shot. And I do love it as a blogging platform, the markdown and writing experience is beautiful. But I’ve switched this site back to WordPress because I want it to be more than just a blog. I’ve been inspired by Derek Sivers’s site and want to make this a platform for many different videos, reviews, and projects I’m working on. If you notice anything broken please let me know.

I’ve also installed the Jetpack Markdown plugin because writing in markdown is so much nicer and cleaner than the default wordpress editing experience (or maybe I’ve just become used to it, coding and submitting PR’s on Github for the last 2 years).

I did like that Ghost was written in NodeJS, which I love far more than PHP, but in the end I did very little actual core hacking so that really didn’t matter.


Get docker container start time in unix timestamp (seconds)

You can use the following command to get the start time of a docker container in a unix timestamp (seconds since 1970).

docker inspect --format='{{.State.StartedAt}}' <CONTAINERID> | xargs date +%s -d

Just replace <CONTAINERID> with the actual container id.

Or you can use this to get the start time of all your containers:

docker ps -q | xargs docker inspect --format='{{.State.StartedAt}}' | xargs -n1 date +%s -d

How to stop Datadog alert recoveries going to Pagerduty

At Cloud9 we use Datadog for all our server monitoring and Pagerduty for alerts when things break. To do this we use the standard Datadog + Pagerduty integration and make Pagerduty automatically trigger for critical incidents by adding @pagerduty into the “Say what’s happening” field in the Datadog monitor.

Unfortunately datadog triggers the monitor both when it starts and when it has recovered. Because we had @pagerduty in the “Say what’s happening” area this meant we got a pagerduty call both times.

You can fix this by wrapping the @pagerduty trigger with {{#is_alert}}{{/is_alert}}. So your monitor should look something like:

Docker is having trouble creating containers. Please investigate @slack-datadog @slack-warnings {{#is_alert}}@pagerduty{{/is_alert}}

You can also use {{#is_warning}}@pagerduty{{/is_warning}} for warnings (where the monitor has gone over the warning threshold but not the alert threshold).

Then you can go back to bed safe in the knowledge your server isn’t going to wake you up to tell you “Everything is good, nothing is broken”.


How to get docker ps data in JSON format

If you want to get the output of docker ps in JSON format the easiest way is to run the remote docker API and use that, you can read about how to do that here

However if you can’t run the remote API because of security issues or for other reasons there is another way! With curl version 7.40 (If this isn’t available on your distro click here) and newer you can get data from the local unix socket, and docker always runs the remote api on docker.sock.

Here’s what you have to run:

curl --unix-socket /var/run/docker.sock http://localhost/containers/json

Tada! Nice JSON Formatted docker ps output. I recommend using the jq library if you want an easy way to parse it in bash.


Linux Traffic control hfsc what is [default $CLASSID]

While learning our traffic control setup at Cloud9 I came across this line:

tc qdisc add dev $IFACE root handle 1: hfsc default 12

Most of it is explained by these great in depth guides to tc and hfsc traffic shaping:

And the man page at:

The only thing I couldn’t figure out was what default 12 means. I originally thought it was some inbuilt default policy that comes included with tc. But it actually refers to the class that you’ve defined that it should fall back to using when nothing else matches.

So in our case we had the following other classes defined:

tc class add dev $IFACE parent 1:1 classid 1:10 hfsc rt m1 $HALF_MAXUP d 10ms m2 $MAX_UPRATE
tc class add dev $IFACE parent 1:1 classid 1:11 hfsc ls m2 $HALF_MAXUP ul m2 $MAX_UPRATE
tc class add dev $IFACE parent 1:1 classid 1:12 hfsc ls m2 $LOW_MAXUP ul m2 $LOW_MAXUP
tc class add dev $IFACE parent 1:1 classid 1:13 hfsc ls m2 $VERY_LOW_MAXUP ul m2 $VERY_LOW_MAXUP

$IFACE is the interface we’re running the rules on and the rates such as $HALF_MAXUP are network speeds in kbps that we’ve set and are still experimenting with.

Below this we then had a bunch of rules that prioritize different traffic types which look like below:

# prioritize SSH
$TC filter add dev $IFACE protocol ip parent 1: prio 1 u32 match ip sport 22 0xffff flowid 1:10
$TC filter add dev $IFACE protocol ip parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:10

# prioritize DNS
$TC filter add dev $IFACE protocol ip parent 1: prio 2 u32 match ip sport 53 0xffff match ip protocol 0x6 0xff flowid 1:10
$TC filter add dev $IFACE protocol ip parent 1: prio 2 u32 match ip dport 53 0xffff match ip protocol 0x6 0xff flowid 1:10

# prioritize application traffic
$TC filter add dev $IFACE protocol ip parent 1: prio 3 u32 match ip sport 8080 0xffff flowid 1:11
$TC filter add dev $IFACE protocol ip parent 1: prio 3 u32 match ip sport 8081 0xffff flowid 1:11
$TC filter add dev $IFACE protocol ip parent 1: prio 3 u32 match ip sport 8082 0xffff flowid 1:11

# Make UDP and ICMP really slow, they are rarely used for legitimate purposes
$TC filter add dev $IFACE protocol ip parent 1: prio 4 u32 match ip protocol 17 0xff flowid 1:13
$TC filter add dev $IFACE protocol ip parent 1: prio 4 u32 match ip protocol 1 0xff flowid 1:13

These rules ensure our users are able to ssh, resolve sites and host their applications at full speed, while throttling those who may be attempting to use Cloud9 for nefarious reasons. We also have other blocking rules not included here for security reasons.

So all outbound traffic that doesn’t match these rules is subject to the rules of class 1:12 which gives users $LOW_MAXUP bandwidth with a $LOW_MAXUP burst speed for uploads. That’s what the default 12 at the end means.

Let me know if you have any questions about this or suggestions on how to improve our traffic shaping. I’m no expert on this and didn’t write most of these rules, but just sharing what I’ve learnt to help others having the same confusions.


Using Express 4 routes to secure your web app

Today I had the fun task of taking Cloud9’s build bot and making it more secure. Primarily because it’s now exposed to the outside world and we don’t want random strangers having the ability to ship or revert our code.

Our bot responds to slash commands on Slack, so we can type /ship [appname] at any time in any channel in slack and the latest tested code will be pushed to production. It also recieves notifications from Jenkins when jobs have started, succeeded or failed.

Securing Slack

The first step was ensuring all Slack commands were actually coming from Slack. Whenever you create a new slash command Slack tells you it will send a specific token with all api calls, and you should use this to verify the call is from Slack.

Now there are multiple routes we wanted our bot to talk to and multiple slash commands to reach them, each with their own tokens. But we don’t want to add if (token == ‘xyz’) to every single route. Firstly because it’s messy, and secondly because then whenever a new developer joins the project they have to remember to do that or they’ll compromise security. So how do we do it? By creating a /slack route that verifies every token for us.

var express = require("express");
var config = require("config);

function verifyToken(req, res, next) {
if (!req.body.token || config.get("slack.tokens").indexOf(req.body.token) === -1) {
return next(new Error("Invalid slack token" + req.body.token));

var slackRouter = new express.Router();
slackRouter.use(verifyToken);"/highfive", highFive.handleRequest.bind(highFive));"/ship", ship.startShipping.bind(ship));

app.use("/slack", slackRouter);

We have an array of possible slack tokens stored in our config file and whenever we add or remove commands we can simply add the token to that one list.

Now our routes are /slack/ship and /slack/highfive and whenever anyone sends data to them it will always validate that they have a valid slack token. No more manual verification in each route or having new developers forget to add security to their route, it’s all automatic.

Securing Jenkins

Our bot also listens to build hooks from Jenkins so that it can post to our Slack channel letting us know about the stats of various jobs.

We can secure Jenkins in the same way, but because it doesn’t pass any custom data in these job notifications we’ll secure it based on the requester IP address.

var requestIp = require("request-ip");

function verifyIPIsJenkins(req, res, next) {
var reqIp = requestIp.getClientIp(req);
if (!reqIp || config.get("jenkins.ips").indexOf(reqIp) === -1) {
return next(new Error("Jenkins push request came from " + reqIp + " which isn't a known address"));

return next();

var jenkinsRouter = new express.Router();
jenkinsRouter.use(verifyIPIsJenkins);"/success", jenkins.buildSuccess.bind(jenkins));"/failed", jenkins.buildFailed.bind(jenkins));

app.use("/jenkins", jenkinsRouter);

Now just like above we have 2 routes at /jenkins/success and /jenkins/failed and whenever anyone tries to access them it automatically verifies they are our CI server. If they are not the request will fail.

The reason I enjoy using these routes is they keep the code neat and also ensure that when someone comes to work on this project in the future they can easily add another route and won’t accidently allow hackers in the back door. Keeping things simple and automatic so any developer can pick up this code and run with it is my style of programming.