Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWSug.nl Meetup @ New10 - SAM
Similar to AWSug.nl Meetup @ New10 - SAM (20)
Recently uploaded
Recently uploaded (20)
AWSug.nl Meetup @ New10 - SAM
- 1. ServerlessServerless Introduction to Serverless ApplicationIntroduction to Serverless Application Model (SAM) + Advanced Security &Model (SAM) + Advanced Security & Safety Best PracticesSafety Best Practices Martijn van DongenMartijn van Dongen AWS Cloud Evangelist | Founder AWSug.nl | AWS APN AmbassadorAWS Cloud Evangelist | Founder AWSug.nl | AWS APN Ambassador 1
- 2. 400 300 200 100 Expert Sessions are for attendees who are deeply familiar with the topic, have implemented a solution on their own already, and are comfortable with how the technology works across multiple services, architectures, and implementations. Advanced Sessions dive deeper into the selected topic. Presenters assume that the attendees have some familiarity with the topic but may or may not have direct experience implementing a similar solution. Intermediate Sessions are focused on providing best practices, details of service features and demos, with the assumption that attendees have introductory knowledge of the topic. Introductory Sessions are focused on providing an overview of AWS services, with the assumption that attendees are new to the topic. 2
- 3. "We are willing to be misunderstood"We are willing to be misunderstood for long periods of time."for long periods of time." - Jeff Bezos- Jeff Bezos 3
- 5. Input Coordinator Rekognition Transcribe Video Compressor Thumbnailer Output Subtitles Metadata Thumbnails Compressed Video ~ 3 minutes 60 minute video file x 120 5
- 6. 6
- 8. Serverless Application Model (SAM)Serverless Application Model (SAM) Security and Safety Best PracticesSecurity and Safety Best Practices Intro. New to Serverless? Layers. Keep the lambdas lambda. Policies. [ARNs, Templates, Inline] X-Ray. Some γ for your λ. Canary Deploy. Deploy, #3!&ds$, Rollback. VPC/Aurora. Connecting to Aurora Serverless. Secrets. Don't want to know it. 8
- 9. CloudFormationS3 Command Line Lambda IAM Roles / Policies API Gateway Package Deploy Get Artifacts 9
- 10. Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: Handler: lambda.handler CodeUri: src/ Runtime: python3.7 Environment: Variables: MY_TABLE: !Ref MySimpleTable Events: GetResource: Type: Api Properties: Path: /hello 10
- 11. import boto3 import json import os dynamodb = boto3.resource('dynamodb') table = dynamodb.Table(os.environ['MY_TABLE']) def handler(event, context): body = {"hello": os.environ['MY_TABLE']} return { "statusCode": 200, "body": json.dumps(body) } 11
- 12. $ aws cloudformation package --template-file template.yml --s3-bucket my-artifacts --output-template-file packaged.yml $ aws cloudformation deploy --stack-name serverless-stack --template-file packaged.yml --capabilities CAPABILITY_IAM 12
- 13. $ sam package --template-file template.yml --s3-bucket my-artifacts --output-template-file packaged.yml $ sam deploy --stack-name serverless-stack --template-file packaged.yml --capabilities CAPABILITY_IAM 13
- 14. cat >> ~/.aws/cli/alias <<! launch = !f() { aws cloudformation package --template template.yml --s3-bucket $S3_SANDBOX_ARTIFACTS --output-template-file packaged.yml aws cloudformation deploy --stack-name $1 --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM --template packaged.yml }; f ! 14
- 15. $ aws launch mystack $ aws delete mystack $ aws list $ aws errors mystack $ aws events mystack $ aws describe mystack https://binx.io/blog/2019/06/30/aws-cli-aliases-shorten-your-most-used-commands/ 15
- 16. Globals: Function: Runtime: python3.7 Timeout: 30 #CodeUri: src/ <-- Don't do this! Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: Handler: lambda.handler CodeUri: src/ # <-- Do this! 16
- 18. $ mkdir python $ pip install -r requirements.txt -t ./python $ zip -r mylayer.zip ./python Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: Handler: lambda.handler CodeUri: src/ Layers: - !Ref "MyLayer" MyLayer: Type: 'AWS::Serverless::LayerVersion' Properties: ContentUri: mylayer.zip CompatibleRuntimes: - python3.7 18
- 20. Inline PolicyInline Policy Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: # ... Policies: - Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:* Resource: - !Sub "${linksTable.Arn}/*" - !GetAtt 'linksTable.Arn' 20
- 21. Policy TemplatesPolicy Templates Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: # ... Policies: - LambdaInvokePolicy: FunctionName: !Ref BackendFunction - DynamoDBCrudPolicy: TableName: !Ref ServerlessTable - 'arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess' https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-template-list.html 21
- 22. X-RayX-Ray Some γ for your λSome γ for your λ 22
- 23. Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: # ... Tracing: Active Policies: - 'arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess' MyAPI: Type: 'AWS::Serverless::Api' Properties: StageName: api TracingEnabled: true 23
- 24. import boto3 import json import os from aws_xray_sdk.core import xray_recorder from aws_xray_sdk.core import patch_all patch_all() dynamodb = boto3.resource('dynamodb') table = dynamodb.Table(os.environ['TABLE_NAME']) def handler(event, context): # ... 24
- 25. 25
- 26. 26
- 27. 27
- 29. Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: # ... AutoPublishAlias: live DeploymentPreference: Type: Canary10Percent10Minutes Alarms: - !Ref MyFunctionErrors - !Ref MyFunctionPerformance 29
- 31. 31
- 33. 33
- 34. VPC API Gateway Lambda Aurora Serverless 34
- 35. Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: VpcConfig: SecurityGroupIds: [sg-0c201dfa] SubnetIds: [subnet-0c06822, subnet-0d7514e5b] Policies: - 'arn:aws:iam::aws:policy/service-role/AWSLambda..' DatabaseCluster: Type: 'AWS::RDS::DBCluster' Properties: Engine: aurora EngineMode: serverless 35
- 36. VPC API Gateway Lambda Aurora Serverless VPC Endpoint DynamoDB 36
- 37. Resources: Endpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: RouteTableIds: [ 'rtb-32wfr23' ] ServiceName: !Sub 'com.amazonaws.${AWS::Region}.dynamodb' VpcId: vpc-eg3r23r 37
- 40. Resources: MySecret: Type: 'AWS::SecretsManager::Secret' Properties: Description: "This is my rds instance secret" GenerateSecretString: SecretStringTemplate: '{"username": "master"}' GenerateStringKey: 'password' PasswordLength: 16 ExcludeCharacters: '"@/' 40
- 41. Resources: DatabaseCluster: Type: 'AWS::RDS::DBCluster' Properties: Engine: aurora EngineMode: serverless MasterUsername: "master" MasterUserPassword: 'Fn::Join': - "" - - {{resolve:secretsmanager: - !Ref 'MySecret' - :SecretString:password}} 41
- 42. Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: # ... Environment: Variables: MY_SECRET: !Ref MySecret Policies: - AWSSecretsManagerGetSecretValuePolicy: SecretArn: !Ref MySecret 42
- 43. client = session.client( service_name='secretsmanager' ) secret = os.environ['MY_SECRET'] response = client.get_secret_value( SecretId=secret ) s = json.loads(response['SecretString']) name = s['username'] password = s['password'] conn = pymysql.connect(rds_host, user=name, passwd=passw.. #... 43
- 44. Take AwaysTake Aways Love SAM Adopt Lambda Layers Checkout X-Ray Least Privileges Canary Deployment Deploy lambdas in VPCs Secrets that only your app knows 44
- 46. CloudStarCloudStar Cloud DevelopersCloud Developers Cloud EngineersCloud Engineers Cloud DevOpsCloud DevOps Cloud InstructorsCloud Instructors Cloud ArchitectsCloud Architects Cloud ConsultantsCloud Consultants Cloud EvangelistsCloud Evangelists Cloud StrategistsCloud Strategists What's your dream job?What's your dream job? 46
- 47. Thanks!Thanks! Martijn van DongenMartijn van Dongen AWS Cloud Evangelist | Founder AWSug.nl | AWS APN AmbassadorAWS Cloud Evangelist | Founder AWSug.nl | AWS APN Ambassador 47