Presentation by Matt Barlow
Someone just gave you an idea for a new microservice. How quickly can you build it?
Using Swagger, API Gateway, and Lambda, we'll go from idea to HTTP response with just a few edits. We'll look at how Swagger can auto generate our API Gateway service, docs, client libraries, monitors, and tests, saving us a ton of work. We'll make code changes, version them in Lambda, and evaluate them with curl or Postman in seconds.
10. API Methods
Path Operation OperationID Description
/atq GET list_jobs List all jobs
/atq POST create_job Create an at job
/atq/{id} GET describe_job Describe an at job
/atq/{id} DELETE delete_job Delete an at job
A method is a combination of a resource path and an operation.
11. Objects
Name Type Format Required?
jobid string uuid yes
lambdaArn string arn no
time string dateTime no
atJob
The object will define the response that our API returns.
12. Code
OperationID Pseudocode
list_jobs DynamoDB BatchGetItem
describe_job DynamoDB Query on jobid
create_job Create CloudWatch Event and PutItem into
DynamoDB.
delete_job Delete CloudWatch Event and DeleteItem
out of DynamoDB.
These Operation IDs are defined in Swagger and passed through to Lambda code as
part of the event object.
14. git clone git@github.com:mattjbarlow/microservice-template.git
File Description
service/service.py * Python module that will run in Lambda.
circle.yml Circle CI instructions.
deploy.yml Ansible playbook for provisioning microservice.
destroy.yml Ansible playbook for deleting microservice.
swagger.yml * Spec file that describes your API.
template.json AWS resources required by the microservice.
version.yml Ansible playbook that versions your Lambda code.
* The bulk of your edits will be in these two files.
16. Remember these?
Path Operation OperationID Description
/atq GET list_jobs List all jobs
/atq POST create_job Create an at job
/atq/{id} GET describe_job Describe an at job
/atq/{id} DELETE delete_job Delete an at job
17. We Insert Them Directly Into Swagger
RESOURCE PATH
HTTP OPERATION
Object Definition
21. Ansible Deployment Playbook
1. Zips up Python module and uploads it to S3
2. Creates the API Gateway
3. Provisions AWS resources
a. Lambda
b. DynamoDB
c. IAM Roles and Policies
d. Lambda Permission
4. Adds mapping templates to API Gateway
49. GET Request With Lambda
Step What Happens
Send GET request API Gateway Receives HTTP Request Data from client.
Transform API Gateway Transforms Request Data into Event Object
Proxy API Gateway POSTs Event Object to Lambda
Read Lambda Reads data from DynamoDB
Return API Gateway Receives return values from Lambda
Transform API Gateway Transforms backend data into HTTP Response
Respond API Gateway Responds back to the client.
50. GET Request without Lambda
Step What Happens
Send GET request API Gateway Receives HTTP Request Data from client.
Transform API Gateway Transforms Request Data into Event Object
Proxy API Gateway POSTs DynamoDB Query to Dynamo
Read Lambda Reads data from DynamoDB
Return API Gateway Receives return values from Dynamo
Transform API Gateway Transforms backend data into HTTP Response
Respond API Gateway Responds back to the client.
54. CI Workflow
CI
Step 1 Deploy Microservice
Step 2 Validate API Calls
Step 3 Destroy Microservice
git push POST: /project/:tree/:branch
55. Validating API Calls With Flex
schema = load('swagger.awsexport.json')
validate_api_call(schema, raw_request=r.request, raw_response=r)
1. Receives Swagger spec file which is our source of truth.
2. Makes an HTTP Request to the API Gateway URL.
3. Ensures the response matches what we said it would in Swagger.
Loads Swagger spec into memory
57. Built In Auth Options
GET /dev/v1/atq HTTP/1.1
Host: cg4e6xg82i.execute-api.us-east-1.amazonaws.com
Connection: keep-alive
x-api-key: bkayZOMvuy8aZOhIgxq94K9Oe7Y70Hw55
Option 2: Signature Version 4 signing with IAM
(Powerful, but requires client having AWS API Key)
Option 1: API Keys managed by API Gateway API
(Not really useful for user auth in public APIs)
58. Custom Authorizers
Receive Token from Identity
Send Token to /auth endpoint Pass Through
Responds With JWT
Make request with JWT Custom Authorizer Intercept
Caches temporary policy
Allows Request
Generates JWT
Validates JWT
Returns temporary IAM policy
Client Library API Gateway Lambda$:
Validates Identity Token
BatchGetItem can only return 100 items / 16KB of data, so paging is required.
There is a limit of 50 Event Sources per AWS account.
Make sure you select the Swagger file exported by Ansible from AWS, not the swagger.yml that was downloaded from templates.
You don’t HAVE to send all this information through to Lambda. You control what is sent to Lambda in the mapping template in Swagger.
Only writes to Dynamo at this point. Later on we will create the CloudWatch event.
You can use AWS credentials -- access and secret keys – to sign requests to your service and authorize access like other AWS services. The signing of an Amazon API Gateway API request is managed by the custom API Gateway SDK generated for your service. You can retrieve temporary credentials associated with a role in your AWS account using Amazon Cognito.