Back to blog index 2019-03-19

EC2 is really complicated

A significant chunk of the web runs on Amazon hardware now. I don’t get it.

It’s not that I don’t understand the advantages of Cloud Computing, it’s the immense complexity of Amazon’s ecosystem that baffles me. I mean, take something like IAM. It sounds pretty easy: there’s a list of users, and you can assign them various permissions. So I can just add an email address and say “this person gets to administrate this server”, right?

An actual, bona-fide, screenshot of IAM

Nuh-uh. Because first, you gotta write yourself a “Policy” in JSON. Or find one in the list: don’t worry, it’ll be called something simple like “AmazonElasticMapReduceforAutoScalingRole” and yeah, you’ll need to add that to a Role, and then that Role goes into a Group and oh, hey, what’s this?

Naturally, all policies must have a florble gobbidy blook

Policies must have an action that has an applicable resource or condition.

Right.

I, uh, I’ll just, uh, apply a resource to that, then. Or apply the resource to an action. I mean, really? I have no idea what any of this means.

And IAM is just the tip of the iceberg really since every service that Amazon exposes (and they have A LOT of services) looks like this: you’re clicking through reams upon reams of configuration and indirection and coupling. It’s there for a good reason, I’m sure! Someone at Netflix needs to be able to automate parts of their machine learning cluster to balance between continents and then see an audit trail of who created which groups. So there has to be an interface for that stuff. Makes sense. For Netflix.

You’re not Netflix

Even as someone who regularly deploys applications for a living I still kind of struggle to see the point at which all this complexity pays off — unless you have a big team of full-time DevOps engineers, which means that you’re probably just as well off shoving them into the deepest darkest recesses of a Debian installation and locking the trap door behind them. Maybe it’s just me being an Old or me being comfortable in Linux, but setting a few UFW rules to allow communication between servers just seems far easier to grok (and less likely to fail in unexpected ways) than wading through pages of Amazon-specific jargon to assign an EFS Rule to a Security Group and adding it to a Network Interface and then writing a TPS report in JSON to your Flux Capacitator.

Really, most of these things are easy! A lot of what Amazon seems to be doing is shunting various Unix tools into Amazon-branded abstractions and foisting them on us as great inventions. (Except for managed databases, I have nothing but respect for the RDS team, that shit is tough as nails and super awful for everyone when you inevitably fuck it up. Oh and S3 works well too, except the permissions model which always fails and at some point someone will have pasted enough XML into that stupid little window that the bucket becomes world writable but since it finally works nobody dares to try and fix it but I digress)

Whichever cloud floats your boat though

Anyway, I’m not here to tell anyone to switch provider. I just hate that Amazon is the default assumption because it’s super duper complicated because it needs to cater to the enterprise crowd and my hair is greying prematurely when I have to deal with them. I’m also coldly and cynically assuming that a lot of Amazon’s traction is cargo-cult “industry standard” thinking where everyone ridiculously overestimates what their app should be capable of doing. This blog runs on a five year old Raspberry Pi which took me all of an hour to set up and now I have free hosting forever. If at some point in the future I need to add a Serverless IoT Facial Recognition Cloud to it I promise to have a look at whatever Amazon’s peddling. But I suspect it’ll be just as easy to run apt-get update && apt-get ai and keep on trucking.