DEV Community: Konstantin The latest articles on DEV Community by Konstantin (@konsta_ivlev). https://dev.to/konsta_ivlev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F609917%2F1b6ded31-5144-4ff3-aeee-69df4ad152ae.jpeg DEV Community: Konstantin https://dev.to/konsta_ivlev en DynamoDb stream lambda trigger Konstantin Wed, 14 Apr 2021 08:55:54 +0000 https://dev.to/konsta_ivlev/dynamodb-stream-lambda-trigger-anh https://dev.to/konsta_ivlev/dynamodb-stream-lambda-trigger-anh <h3> Assignment </h3> <p>Let's take a look on a typical scenario, once it is required to subscribe to <a href="https://aws.amazon.com/blogs/database/dynamodb-streams-use-cases-and-design-patterns">DynamoDb stream</a> events and trigger <a href="https://aws.amazon.com/lambda/">AWS lambda function</a>. In theory and in <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-lambda-readme.html">tutorials</a> the task looks quite simple:</p> <ul> <li>setup a <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-lambda-readme.html">lambda</a> </li> <li>add <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-lambda-readme.html#event-sources">event source</a> with the table attached. Sample: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="nx">subscribeToDynamoDbStream</span><span class="p">(</span> <span class="nx">lambdaRole</span><span class="p">:</span> <span class="nx">Role</span><span class="p">,</span> <span class="nx">layer</span><span class="p">:</span> <span class="nx">LayerVersion</span><span class="p">,</span> <span class="nx">applicationName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">targetTable</span><span class="p">:</span> <span class="nx">ITable</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">lambda</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">applicationName</span><span class="p">}</span><span class="s2">-lambda`</span><span class="p">,</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="nx">Code</span><span class="p">.</span><span class="nx">fromAsset</span><span class="p">(</span><span class="dl">'</span><span class="s1">functions/custom-trigger/src</span><span class="dl">'</span><span class="p">),</span> <span class="na">functionName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">applicationName</span><span class="p">}</span><span class="s2">-lambda`</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="nx">handler</span><span class="p">,</span> <span class="na">layers</span><span class="p">:</span> <span class="p">[</span><span class="nx">layer</span><span class="p">],</span> <span class="na">role</span><span class="p">:</span> <span class="nx">lambdaRole</span><span class="p">,</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_12_X</span><span class="p">,</span> <span class="p">});</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">addEventSource</span><span class="p">(</span><span class="k">new</span> <span class="nx">DynamoEventSource</span><span class="p">(</span><span class="nx">targetTable</span><span class="p">,</span> <span class="p">{</span> <span class="na">startingPosition</span><span class="p">:</span> <span class="nx">StartingPosition</span><span class="p">.</span><span class="nx">TRIM_HORIZON</span><span class="p">,</span> <span class="p">}));</span> <span class="p">}</span> </code></pre> </div> <p>This scenario works well in case of the <a href="https://aws.amazon.com/blogs/devops/best-practices-for-developing-cloud-applications-with-aws-cdk/">single repository</a>, once lambda, dynamodb and dynamodb stream are provisioned in the same stack. </p> <h3> Issue </h3> <p>In more complex layout the dynamodb itself is created and corresponding dynamodb stream is provisioned in a different stack. The dynamodb arn is saved to the <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html">SSM parameter store</a>, or the name is known.<br> So, first import table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="nx">importTargetTable</span><span class="p">(</span><span class="nx">environment</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">tableArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">table</span> <span class="o">=</span> <span class="nx">Table</span><span class="p">.</span><span class="nx">fromTableArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ImportedTable</span><span class="dl">'</span><span class="p">,</span> <span class="nx">tableArn</span><span class="p">);</span> <span class="k">return</span> <span class="nx">table</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Then call <code>subscribeToDynamoDbStream</code> function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">importedTable</span> <span class="o">=</span> <span class="nx">importTargetTable</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">tableArn</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">subscribeToDynamoDbStream</span><span class="p">(</span><span class="nx">lambdaRole</span><span class="p">,</span> <span class="nx">layer</span><span class="p">,</span> <span class="nx">applicationName</span><span class="p">,</span> <span class="nx">importedTable</span><span class="p">);</span> </code></pre> </div> <p>The result is unexpected: <code>DynamoDB Streams must be enabled on the table [tablename]</code>. The AWS console clearly shows that the Dynamodb stream is enabled. Quick googling recommends the most obvious thing: enable already enabled feature. CDK <a href="https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-lambda-event-sources/lib/dynamodb.ts#L25">source code</a> inspection reveals that during <code>fromTableArn</code> invocation the stream arn most probably has not been loaded. </p> <h3> Solution </h3> <p>First of all there should be DynamoDb stream arn exported to SSM during DynamoDB provisioning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">targetTable</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`targeTableName`</span><span class="p">,</span> <span class="p">{</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span> <span class="p">},</span> <span class="na">sortKey</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span> <span class="p">},</span> <span class="p">...</span> <span class="na">stream</span><span class="p">:</span> <span class="nx">StreamViewType</span><span class="p">.</span><span class="nx">NEW_AND_OLD_IMAGES</span><span class="p">,</span> <span class="na">tableName</span><span class="p">:</span> <span class="s2">`targetTableName`</span> <span class="p">});</span> <span class="c1">// Export target table stream arn to SSM</span> <span class="k">new</span> <span class="nx">StringParameter</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">ctx</span><span class="p">,</span> <span class="s2">`targetTable-stream-arn`</span><span class="p">,</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Exported stream arn</span><span class="dl">"</span><span class="p">,</span> <span class="na">parameterName</span><span class="p">:</span> <span class="s2">`/targeTable-stream-arn`</span><span class="p">,</span> <span class="na">stringValue</span><span class="p">:</span> <span class="nx">targetTable</span><span class="p">.</span><span class="nx">tableStreamArn</span><span class="o">!</span> <span class="p">});</span> </code></pre> </div> <p>In a stack where a lambda is created and subscription to the dynamodb stream is setup, <code>tableStreamArn</code> is read from SSM.</p> <h4> Option 1 </h4> <p>Change the way how <code>ITable</code> is constructed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="nx">importTargetTable</span><span class="p">(</span><span class="nx">environment</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">tableArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">tableStreamArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">table</span> <span class="o">=</span> <span class="nx">Table</span><span class="p">.</span><span class="nx">fromTableAttributes</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ImportedTable</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">tableArn</span><span class="p">:</span> <span class="nx">tableArn</span><span class="p">,</span> <span class="na">tableStreamArn</span><span class="p">:</span> <span class="nx">tableStreamArn</span> <span class="k">return</span> <span class="nx">table</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h4> Option 2 </h4> <p>Technically speaking AWS lambda with DynamoDb stream trigger does not have to be aware of DynamoDb table (and it's arn). Option 2 could be considered as an improvement of the code above: <a href="https://www.amazon.jobs/en/principles">'Invent and Simplify'</a>.<br> Once the lambda is created, EventSourceMapping object could be used to enable DynamoDb stream trigger for the lambda usin <code>tableStreamArn</code> only:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">lambda</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">...);</span> <span class="k">new</span> <span class="nx">EventSourceMapping</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`lambda-trigger-mapping`</span><span class="p">,</span> <span class="p">{</span> <span class="na">eventSourceArn</span><span class="p">:</span> <span class="nx">tableStreamArn</span><span class="p">,</span> <span class="na">startingPosition</span><span class="p">:</span> <span class="nx">StartingPosition</span><span class="p">.</span><span class="nx">TRIM_HORIZON</span><span class="p">,</span> <span class="c1">// any necessary options of a choice, e.g. batchSize, retryAttempt, etc.</span> <span class="na">target</span><span class="p">:</span> <span class="nx">lambda</span> <span class="p">});</span> </code></pre> </div> <p>I hope that this post would help you in your CDK learning journey.<br> Best wishes..</p> aws dynamodbstream lambda cdk Painful CDK - 1 Konstantin Wed, 07 Apr 2021 09:18:29 +0000 https://dev.to/konsta_ivlev/painful-cdk-1-ni https://dev.to/konsta_ivlev/painful-cdk-1-ni <p>AWS CDK is a great tool. Although it sometimes works not as expected. In this post, I'd like to share some CDK pain.</p> <p>Let's take a look on the simple piece of code below. My goal is to create a new Cognito user pool authorizer and use it to protect a newly created endpoint with a lambda integration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// create cognito authorizer:</span> <span class="kd">const</span> <span class="nx">authorizer</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">CfnAuthorizer</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">ctx</span><span class="p">,</span> <span class="dl">"</span><span class="s2">restApiMyResourceAuthorizer</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">restApiId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">restApi</span><span class="p">.</span><span class="nx">restApiId</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">COGNITO_USER_POOLS</span><span class="dl">"</span><span class="p">,</span> <span class="na">identitySource</span><span class="p">:</span> <span class="dl">"</span><span class="s2">method.request.header.Authorization</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">restApiMyResourceAuthorizer</span><span class="dl">"</span><span class="p">,</span> <span class="na">providerArns</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">..</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="c1">// create a resource</span> <span class="kd">const</span> <span class="nx">myResource</span><span class="p">:</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">Resource</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">restApi</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">addResource</span><span class="p">(</span><span class="dl">"</span><span class="s2">myResource</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// add an endpoint to the Rest API resource with authorizer</span> <span class="nx">myResource</span><span class="p">.</span><span class="nx">addMethod</span><span class="p">(</span><span class="nx">lambdaDeploymentOptions</span><span class="p">.</span><span class="nx">httpMethod</span><span class="p">,</span> <span class="k">new</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">LambdaIntegration</span><span class="p">(</span><span class="nx">lambda</span><span class="p">),{</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="na">authorizer</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorizerId</span><span class="p">:</span> <span class="nx">authorizer</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>This gives:</p> <blockquote> <p>Invalid authorizer ID specified. Setting the authorization type to CUSTOM or COGNITO_USER_POOLS requires a valid authorizer.</p> </blockquote> <p>There are some opened questions in the internet on this topic.<br> Solution I've found is a bit hacky:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">method</span> <span class="o">=</span> <span class="nx">myResource</span><span class="p">.</span><span class="nx">addMethod</span><span class="p">(</span><span class="nx">lambdaDeploymentOptions</span><span class="p">.</span><span class="nx">httpMethod</span><span class="p">,</span> <span class="k">new</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">LambdaIntegration</span><span class="p">(</span><span class="nx">lambda</span><span class="p">),{</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="na">authorizer</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorizerId</span><span class="p">:</span> <span class="nx">lambdaDeploymentOptions</span><span class="p">.</span><span class="nx">authorizer</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">authorizationType</span><span class="p">:</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">AuthorizationType</span><span class="p">.</span><span class="nx">COGNITO</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">child</span> <span class="o">=</span> <span class="nx">method</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nx">findChild</span><span class="p">(</span><span class="dl">'</span><span class="s1">Resource</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="nx">apigateway</span><span class="p">.</span><span class="nx">CfnMethod</span><span class="p">;</span> <span class="nx">child</span><span class="p">.</span><span class="nx">addPropertyOverride</span><span class="p">(</span><span class="dl">'</span><span class="s1">AuthorizationType</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">COGNITO_USER_POOLS</span><span class="dl">'</span><span class="p">);</span> <span class="nx">child</span><span class="p">.</span><span class="nx">addPropertyOverride</span><span class="p">(</span><span class="dl">'</span><span class="s1">AuthorizerId</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">Ref</span><span class="p">:</span> <span class="nx">lambdaDeploymentOptions</span><span class="p">.</span><span class="nx">authorizer</span><span class="p">.</span><span class="nx">logicalId</span> <span class="p">});</span> </code></pre> </div> <p>In case of questions: "why <code>CfnAuthorizer</code>, not <code>CognitoUserPoolsAuthorizer</code>. The reason is simple - <code>CognitoUserPoolsAuthorizer</code> does not allow to set Token Validation regular expression (<code>identityValidationExpression</code>).</p> <p>P.S.<br> There is a general guide how to solve issues with CDK. "Escape hatches": <a href="https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html">https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html</a></p> cdk aws cognito restapi