The latest articles on DEV Community by mklabs (@mklabs). https://dev.to/mklabs https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F4087%2F888fb3d8-e036-44b7-8749-3212e3645ddb.png https://dev.to/mklabs en diogoaurelio Mon, 02 Jan 2023 16:15:43 +0000 https://dev.to/mklabs/yet-another-post-about-type-classes-in-scala-3d5n https://dev.to/mklabs/yet-another-post-about-type-classes-in-scala-3d5n <p>While recently having a chat with a colleague about type classes in scala, I realized I failed at properly explaining the concept. So here I am, giving it (yet) another stab.</p> <p>In this post we will: </p> <ul> <li>understand the intuition behind type classes (TCs), to better reason when to use them;</li> <li>provide two concrete examples with code in scala;</li> <li>conclude with a very brief look into <code>cats</code>, a widely used scala library that heavily relies on TCs;</li> </ul> <p>The examples provided in this post were written in Scala 2, and <a href="https://github.com/mklabs-io/scala-type-classes-intro">are available in this github repository</a>.</p> <h2> Intuition </h2> <p>Type classes provide a way to model for different behaviors according to the type of the object being handled. So, at it's core, a type class is (unlike the name might at first sight suggest) actually just an interface - a <code>trait</code> in scala - that defines the behavior with a given method signature that accepts or returns generic type. <br> We then define concrete implementations for that interface for a given specific type. These we call the type class instances.<br> Usually, as a last step, one exposes this functionality with a given api, say, for example a static method. </p> <h2> Example 1 </h2> <p>Let's say we work in a company that does ratings, and, to simplify matters, issues 5 star ratings. Currently the company started with doing evaluations of restaurants. However, we want to be able to extend those in the future to other aspects in life, such as hotels, cities, concerts, cars, gadgets, etc, you name it. <br> Modelling our business domain, we'd quickly understand that a car is a completely distinct model than a hotel, so using classic OOP polymorphism by finding a common denominator interface that all of the other classes extend/inherit is a weak solution.<br> Instead, what we really want is just to define a general interface for rating any of these types - think generics. In more rigorous terms this is called parametric polymorphism, which refers to the ability to define a single code template that can work with any type <code>T</code> parameter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="c1">// this is our Type Class</span> <span class="k">trait</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">T</span><span class="o">]</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">T</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">}</span> </code></pre> </div> <p>Our TC has a single method that accepts a generic type, and returns 1-5 star rating which we oversimplified with an Integer (<code>Int</code>) return type. </p> <p>Let's add two (rather silly but hopefully illustrative) models:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">case</span> <span class="k">class</span> <span class="nc">Restaurant</span><span class="o">(</span><span class="n">name</span><span class="k">:</span> <span class="kt">String</span><span class="o">,</span> <span class="n">foodQuality</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">environment</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">location</span><span class="k">:</span> <span class="kt">Int</span><span class="o">)</span> <span class="k">case</span> <span class="k">class</span> <span class="nc">Dish</span><span class="o">(</span><span class="n">name</span><span class="k">:</span> <span class="kt">String</span><span class="o">,</span> <span class="n">sweetness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">saltiness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">bitterness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">sourness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">umami</span><span class="k">:</span> <span class="kt">Int</span><span class="o">)</span> </code></pre> </div> <p>Now comes the second part, where we deviate from parametric polymorphism - where the concrete implementation is completely agnostic to the Type <code>T</code> being handled - and add specific TC instances that define different behaviors/strategies depending on the object being handled. For rating a restaurant one could implement a simple algorithm as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">object</span> <span class="nc">RestaurantReviewer</span> <span class="k">extends</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">Restaurant</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">Restaurant</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">scala</span><span class="o">.</span><span class="py">math</span> <span class="o">.</span><span class="py">round</span><span class="o">(</span><span class="mf">0.6F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">foodQuality</span> <span class="o">+</span> <span class="mf">0.3F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">environment</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">location</span><span class="o">)</span> <span class="o">}</span> </code></pre> </div> <p>and, on the other hand, for reviewing a dish the following strategy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">object</span> <span class="nc">DishReviewer</span> <span class="k">extends</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">Dish</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">Dish</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">scala</span><span class="o">.</span><span class="py">math</span><span class="o">.</span><span class="py">round</span><span class="o">(</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">sweetness</span> <span class="o">+</span> <span class="mf">0.2F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">saltiness</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">bitterness</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">sourness</span> <span class="o">+</span> <span class="mf">0.5F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">umami</span> <span class="o">)</span> <span class="o">}</span> </code></pre> </div> <p>TC are also sometimes referred to as ad hoc polymorphism, which opposes parametric polymorphism because one purposely defines a concrete distinct implementation for every given type. I found Jason McClellan does a great job explaining the <a href="https://dev.to/jmcclell/inheritance-vs-generics-vs-typeclasses-in-scala-20op">different types of polymorphism and in concrete for type classes, so a highly recommend you to have a look at it</a>.</p> <p>The usual third and last step is to expose the overall rating functionality, for example, as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">object</span> <span class="nc">Evaluator</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">[</span><span class="kt">T</span><span class="o">](</span><span class="n">obj</span><span class="k">:</span> <span class="kt">T</span><span class="o">)(</span><span class="n">evaluator</span><span class="k">:</span> <span class="kt">Reviewer</span><span class="o">[</span><span class="kt">T</span><span class="o">])</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">evaluator</span><span class="o">.</span><span class="py">rate</span><span class="o">(</span><span class="n">obj</span><span class="o">)</span> <span class="o">}</span> </code></pre> </div> <p>Alright, this is already enough for us to dry-run in a demo app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">object</span> <span class="nc">DemoTC</span> <span class="k">extends</span> <span class="nc">App</span> <span class="o">{</span> <span class="k">trait</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">T</span><span class="o">]</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">T</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">}</span> <span class="k">case</span> <span class="k">class</span> <span class="nc">Restaurant</span><span class="o">(</span><span class="n">name</span><span class="k">:</span> <span class="kt">String</span><span class="o">,</span> <span class="n">foodQuality</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">environment</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">location</span><span class="k">:</span> <span class="kt">Int</span><span class="o">)</span> <span class="k">case</span> <span class="k">class</span> <span class="nc">Dish</span><span class="o">(</span><span class="n">name</span><span class="k">:</span> <span class="kt">String</span><span class="o">,</span> <span class="n">sweetness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">saltiness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">bitterness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">sourness</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">umami</span><span class="k">:</span> <span class="kt">Int</span><span class="o">)</span> <span class="k">object</span> <span class="nc">ReviewStrategies</span> <span class="o">{</span> <span class="k">object</span> <span class="nc">RestaurantReviewer</span> <span class="k">extends</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">Restaurant</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">Restaurant</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">scala</span><span class="o">.</span><span class="py">math</span> <span class="o">.</span><span class="py">round</span><span class="o">(</span><span class="mf">0.6F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">foodQuality</span> <span class="o">+</span> <span class="mf">0.3F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">environment</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">location</span><span class="o">)</span> <span class="o">}</span> <span class="k">object</span> <span class="nc">DishReviewer</span> <span class="k">extends</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">Dish</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">Dish</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">scala</span><span class="o">.</span><span class="py">math</span><span class="o">.</span><span class="py">round</span><span class="o">(</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">sweetness</span> <span class="o">+</span> <span class="mf">0.2F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">saltiness</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">bitterness</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">sourness</span> <span class="o">+</span> <span class="mf">0.5F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">umami</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> <span class="k">object</span> <span class="nc">Evaluator</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">[</span><span class="kt">T</span><span class="o">](</span><span class="n">obj</span><span class="k">:</span> <span class="kt">T</span><span class="o">)(</span><span class="n">evaluator</span><span class="k">:</span> <span class="kt">Reviewer</span><span class="o">[</span><span class="kt">T</span><span class="o">])</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">evaluator</span><span class="o">.</span><span class="py">rate</span><span class="o">(</span><span class="n">obj</span><span class="o">)</span> <span class="o">}</span> <span class="k">val</span> <span class="nv">restaurant1</span> <span class="k">=</span> <span class="nc">Restaurant</span><span class="o">(</span><span class="n">name</span> <span class="k">=</span> <span class="s">"Cheesegaddon"</span><span class="o">,</span> <span class="n">foodQuality</span> <span class="k">=</span> <span class="mi">5</span><span class="o">,</span> <span class="n">environment</span> <span class="k">=</span> <span class="mi">3</span><span class="o">,</span> <span class="n">location</span> <span class="k">=</span> <span class="mi">2</span><span class="o">)</span> <span class="c1">// rate using `RestaurantReviewer` strategy: </span> <span class="k">val</span> <span class="nv">restaurant1Rating</span> <span class="k">=</span> <span class="nv">Evaluator</span><span class="o">.</span><span class="py">rate</span><span class="o">(</span><span class="n">restaurant1</span><span class="o">)(</span><span class="nv">ReviewStrategies</span><span class="o">.</span><span class="py">RestaurantReviewer</span><span class="o">)</span> <span class="c1">// will print: Restaurant Cheesegaddon final rate is: 4 stars</span> <span class="nf">println</span><span class="o">(</span><span class="n">s</span><span class="s">"Restaurant ${restaurant1.name} final rate is: ${restaurant1Rating} stars"</span><span class="o">)</span> <span class="o">}</span> </code></pre> </div> <p>Note that so far we're not leveraging any of scala's powerful features. As a matter a fact, we can implement the exact same demo code in java (yes java nerds, bear with me, as mentioned in the inline code comments, the above code is not the finest, but it illustrates my point):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">DemoTCJava</span> <span class="o">{</span> <span class="c1">// this is our Type Class</span> <span class="kd">interface</span> <span class="nc">Reviewer</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kt">int</span> <span class="nf">rate</span><span class="o">(</span><span class="no">T</span> <span class="n">obj</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Note 1: Avoiding using newer Java Records to make this code easily runable on any jdk version </span> <span class="c1">// Note 2: made usually private internal vars public as to avoid extra verbosity of implementing getters;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">Restaurant</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">name</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">foodQuality</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">environment</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">location</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">Restaurant</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">name</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">foodQuality</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">environment</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">location</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">name</span> <span class="o">=</span> <span class="n">name</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">foodQuality</span> <span class="o">=</span> <span class="n">foodQuality</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">environment</span> <span class="o">=</span> <span class="n">environment</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">location</span> <span class="o">=</span> <span class="n">location</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">Dish</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">name</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">sweetness</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">saltiness</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">bitterness</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">sourness</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">umami</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">Dish</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">name</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">sweetness</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">saltiness</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">bitterness</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">sourness</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">umami</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">name</span> <span class="o">=</span> <span class="n">name</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">sweetness</span> <span class="o">=</span> <span class="n">sweetness</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">saltiness</span> <span class="o">=</span> <span class="n">saltiness</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">bitterness</span> <span class="o">=</span> <span class="n">bitterness</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">sourness</span> <span class="o">=</span> <span class="n">sourness</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">umami</span> <span class="o">=</span> <span class="n">umami</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">RestaurantReviewer</span> <span class="kd">implements</span> <span class="nc">Reviewer</span><span class="o">&lt;</span><span class="nc">Restaurant</span><span class="o">&gt;</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">int</span> <span class="nf">rate</span><span class="o">(</span><span class="nc">Restaurant</span> <span class="n">obj</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Math</span><span class="o">.</span><span class="na">round</span><span class="o">(</span><span class="mf">0.6</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">foodQuality</span> <span class="o">+</span> <span class="mf">0.3</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">environment</span> <span class="o">+</span> <span class="mf">0.1</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">location</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">DishReviewer</span> <span class="kd">implements</span> <span class="nc">Reviewer</span><span class="o">&lt;</span><span class="nc">Dish</span><span class="o">&gt;</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">int</span> <span class="nf">rate</span><span class="o">(</span><span class="nc">Dish</span> <span class="n">obj</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Math</span><span class="o">.</span><span class="na">round</span><span class="o">(</span> <span class="mf">0.1</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">sweetness</span> <span class="o">+</span> <span class="mf">0.2</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">saltiness</span> <span class="o">+</span> <span class="mf">0.1</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">bitterness</span> <span class="o">+</span> <span class="mf">0.1</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">sourness</span> <span class="o">+</span> <span class="mf">0.5</span><span class="no">F</span> <span class="o">*</span> <span class="n">obj</span><span class="o">.</span><span class="na">umami</span> <span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">Evaluator</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">public</span> <span class="kt">int</span> <span class="nf">rate</span><span class="o">(</span><span class="no">T</span> <span class="n">obj</span><span class="o">,</span> <span class="nc">Reviewer</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="n">evaluator</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">evaluator</span><span class="o">.</span><span class="na">rate</span><span class="o">(</span><span class="n">obj</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">Restaurant</span> <span class="n">restaurant1</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Restaurant</span><span class="o">(</span><span class="s">"Cheesegaddon"</span><span class="o">,</span> <span class="mi">5</span><span class="o">,</span> <span class="mi">3</span><span class="o">,</span> <span class="mi">2</span><span class="o">);</span> <span class="kd">final</span> <span class="nc">RestaurantReviewer</span> <span class="n">reviewer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RestaurantReviewer</span><span class="o">();</span> <span class="kd">final</span> <span class="nc">Evaluator</span><span class="o">&lt;</span><span class="nc">Restaurant</span><span class="o">&gt;</span> <span class="n">evaluator</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Evaluator</span><span class="o">&lt;&gt;();</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">restaurant1Rating</span> <span class="o">=</span> <span class="n">evaluator</span><span class="o">.</span><span class="na">rate</span><span class="o">(</span><span class="n">restaurant1</span><span class="o">,</span> <span class="n">reviewer</span><span class="o">);</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span> <span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Restaurant %s final rate is: %d stars"</span><span class="o">,</span> <span class="n">restaurant1</span><span class="o">.</span><span class="na">name</span><span class="o">,</span> <span class="n">restaurant1Rating</span> <span class="o">)</span> <span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>This is an example where scala's implicits really shine. If we made our API - the Evaluator static class - accept the evaluator as an implicit argument:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">object</span> <span class="nc">Evaluator</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">[</span><span class="kt">T</span><span class="o">](</span><span class="n">obj</span><span class="k">:</span> <span class="kt">T</span><span class="o">)(</span><span class="k">implicit</span> <span class="n">evaluator</span><span class="k">:</span> <span class="kt">Reviewer</span><span class="o">[</span><span class="kt">T</span><span class="o">])</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">evaluator</span><span class="o">.</span><span class="py">rate</span><span class="o">(</span><span class="n">obj</span><span class="o">)</span> <span class="o">}</span> </code></pre> </div> <p>.. and changed our <code>ReviewStrategies</code> to implicitly define TC instances:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">object</span> <span class="nc">ReviewStrategies</span> <span class="o">{</span> <span class="k">implicit</span> <span class="k">object</span> <span class="nc">RestaurantReviewer</span> <span class="k">extends</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">Restaurant</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">Restaurant</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">scala</span><span class="o">.</span><span class="py">math</span> <span class="o">.</span><span class="py">round</span><span class="o">(</span><span class="mf">0.6F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">foodQuality</span> <span class="o">+</span> <span class="mf">0.3F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">environment</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">location</span><span class="o">)</span> <span class="o">}</span> <span class="k">implicit</span> <span class="k">object</span> <span class="nc">DishReviewer</span> <span class="k">extends</span> <span class="nc">Reviewer</span><span class="o">[</span><span class="kt">Dish</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">rate</span><span class="o">(</span><span class="n">obj</span><span class="k">:</span> <span class="kt">Dish</span><span class="o">)</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="nv">scala</span><span class="o">.</span><span class="py">math</span><span class="o">.</span><span class="py">round</span><span class="o">(</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">sweetness</span> <span class="o">+</span> <span class="mf">0.2F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">saltiness</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">bitterness</span> <span class="o">+</span> <span class="mf">0.1F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">sourness</span> <span class="o">+</span> <span class="mf">0.5F</span> <span class="o">*</span> <span class="nv">obj</span><span class="o">.</span><span class="py">umami</span> <span class="o">)</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>.. we could then simply import the intended review strategies based on scope:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">import</span> <span class="nn">ReviewStrategies._</span> <span class="k">val</span> <span class="nv">restaurant1Rating</span> <span class="k">=</span> <span class="nv">Evaluator</span><span class="o">.</span><span class="py">rate</span><span class="o">(</span><span class="n">restaurant1</span><span class="o">)</span> </code></pre> </div> <p>And this is one of my favorite things about TCs, namely the flexibility for future extension that they provide. If perhaps tomorrow a new food critic would join the team, one that uses a completely different algorithm for computing the rate, absolutely no change would be required<br> in our API - we would simply need to define and import the new different set of strategies.</p> <h2> Example 2 </h2> <p>Our second example is meant to illustrate an additional nice thing about TCs: the compile time safety.</p> <p>Let's say we want to prevent the following to happen:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">val</span> <span class="nv">aComparison</span> <span class="k">=</span> <span class="mi">2</span> <span class="o">==</span> <span class="s">"a String"</span> <span class="c1">// will print: Comparison is false</span> <span class="nf">println</span><span class="o">(</span><span class="n">s</span><span class="s">"Comparison is $aComparison"</span><span class="o">)</span> </code></pre> </div> <p>Your IDE will hopefully highlight the fact that we are comparing an int with a string, but compilation will succeed nonetheless, and the expression will evaluate to false.</p> <p>To solve this, we can use the same strategy as before. Let's define an <code>Eq</code> TC with two concrete implementations, respectively for <code>Int</code> and <code>String</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">trait</span> <span class="nc">Eq</span><span class="o">[</span><span class="kt">T</span><span class="o">]</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">equals</span><span class="o">(</span><span class="n">val1</span><span class="k">:</span> <span class="kt">T</span><span class="o">,</span> <span class="n">val2</span><span class="k">:</span> <span class="kt">T</span><span class="o">)</span><span class="k">:</span> <span class="kt">Boolean</span> <span class="o">}</span> <span class="k">implicit</span> <span class="k">object</span> <span class="nc">IntEq</span> <span class="k">extends</span> <span class="nc">Eq</span><span class="o">[</span><span class="kt">Int</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">equals</span><span class="o">(</span><span class="n">val1</span><span class="k">:</span> <span class="kt">Int</span><span class="o">,</span> <span class="n">val2</span><span class="k">:</span> <span class="kt">Int</span><span class="o">)</span><span class="k">:</span> <span class="kt">Boolean</span> <span class="o">=</span> <span class="n">val1</span> <span class="o">==</span> <span class="n">val2</span> <span class="o">}</span> <span class="k">implicit</span> <span class="k">object</span> <span class="nc">StringEq</span> <span class="k">extends</span> <span class="nc">Eq</span><span class="o">[</span><span class="kt">String</span><span class="o">]</span> <span class="o">{</span> <span class="k">override</span> <span class="k">def</span> <span class="nf">equals</span><span class="o">(</span><span class="n">val1</span><span class="k">:</span> <span class="kt">String</span><span class="o">,</span> <span class="n">val2</span><span class="k">:</span> <span class="kt">String</span><span class="o">)</span><span class="k">:</span> <span class="kt">Boolean</span> <span class="o">=</span> <span class="nv">val1</span><span class="o">.</span><span class="py">equals</span><span class="o">(</span><span class="n">val2</span><span class="o">)</span> <span class="o">}</span> <span class="k">object</span> <span class="nc">Comparison</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">compare</span><span class="o">[</span><span class="kt">T</span><span class="o">](</span><span class="n">val1</span><span class="k">:</span> <span class="kt">T</span><span class="o">,</span> <span class="n">val2</span><span class="k">:</span> <span class="kt">T</span><span class="o">)(</span><span class="k">implicit</span> <span class="n">comparator</span><span class="k">:</span> <span class="kt">Eq</span><span class="o">[</span><span class="kt">T</span><span class="o">])</span><span class="k">:</span> <span class="kt">Boolean</span> <span class="o">=</span> <span class="nv">comparator</span><span class="o">.</span><span class="py">equals</span><span class="o">(</span><span class="n">val1</span><span class="o">,</span> <span class="n">val2</span><span class="o">)</span> <span class="o">}</span> <span class="k">val</span> <span class="nv">aNumber</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="mi">4</span> <span class="k">val</span> <span class="nv">anotherNumber</span><span class="k">:</span> <span class="kt">Int</span> <span class="o">=</span> <span class="mi">5</span> <span class="k">val</span> <span class="nv">result1</span> <span class="k">=</span> <span class="nv">Comparison</span><span class="o">.</span><span class="py">compare</span><span class="o">(</span><span class="n">aNumber</span><span class="o">,</span> <span class="n">anotherNumber</span><span class="o">)</span> <span class="c1">// will print: 4 == 5 is false</span> <span class="nf">println</span><span class="o">(</span><span class="n">s</span><span class="s">"$aNumber == $anotherNumber is $result1"</span><span class="o">)</span> </code></pre> </div> <p>With this approach we are certain that if we try:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code><span class="nv">Comparison</span><span class="o">.</span><span class="py">compare</span><span class="o">(</span><span class="mi">1</span><span class="o">,</span> <span class="s">"one"</span><span class="o">)</span> </code></pre> </div> <p>... compilation will fail, as intended.</p> <p>We could improve our <code>Comparison</code> implementation just a little further leveraging scala extension methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">object</span> <span class="nc">MyComparisons</span> <span class="o">{</span> <span class="k">implicit</span> <span class="k">class</span> <span class="nc">MyIntComparison</span><span class="o">[</span><span class="kt">T</span><span class="o">](</span><span class="n">val1</span><span class="k">:</span> <span class="kt">T</span><span class="o">)(</span><span class="k">implicit</span> <span class="n">eq</span><span class="k">:</span> <span class="kt">Eq</span><span class="o">[</span><span class="kt">T</span><span class="o">])</span> <span class="o">{</span> <span class="k">def</span> <span class="nf">`===`</span><span class="o">(</span><span class="n">val2</span><span class="k">:</span> <span class="kt">T</span><span class="o">)</span><span class="k">:</span> <span class="kt">Boolean</span> <span class="o">=</span> <span class="nv">eq</span><span class="o">.</span><span class="py">equals</span><span class="o">(</span><span class="n">val1</span><span class="o">,</span> <span class="n">val2</span><span class="o">)</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>If we import <code>MyComparisons</code> object, we will immediately start having access to our custom <code>===</code> method for all <code>Int</code> and <code>String</code> type objects, allowing the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">import</span> <span class="nn">MyComparisons._</span> <span class="c1">// will print: 4 === 5 is false</span> <span class="nf">println</span><span class="o">(</span><span class="n">s</span><span class="s">"$aNumber === $anotherNumber is ${aNumber === anotherNumber}"</span><span class="o">)</span> </code></pre> </div> <p>In case you're wondering how extension methods work, essentially the compiler is smart enough to underneath the hood to rap our <code>Int</code> instance stored in variable <code>aNumber</code> into a new instance of: <br> <code>new MyIntComparison(aNumber)</code> <br> .. and call the method <code>===</code> towards the other <code>Int</code> instance stored in variable <code>anotherNumber</code>: <br> <code>new MyIntComparison(aNumber).=== (anotherNumber)</code></p> <p>Pretty cool, right? </p> <p>If you're thinking to implement this by yourself, think again. Scala's Swiss-army-knife library <code>cats</code> provides exactly this same functionality.</p> <p>Start by importing it in sbt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>val catsVersion = "2.1.1" libraryDependencies ++= Seq( "org.typelevel" %% "cats-core" % catsVersion ) </code></pre> </div> <p>And use it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scala"><code> <span class="k">import</span> <span class="nn">cats.instances.int._</span> <span class="k">import</span> <span class="nn">cats.syntax.eq._</span> <span class="c1">// will print: 2 === 3 is false</span> <span class="nf">println</span><span class="o">(</span><span class="n">s</span><span class="s">"2 === 3 is ${2 === 3}"</span><span class="o">)</span> </code></pre> </div> <h2> Conclusion </h2> <p>I'd like to wish that, if anything, this post manages to convey the intuition behind type classes. </p> <p>Type classes are useful when we want to model different behaviors according to the specific type of an object. With our previous example, we tried to provide a case where it makes little sense to use polymorphism to model distinct concepts, namely restaurants, hotels, cars, cities, etc. In other words, instead of having a common interface that all of the previous classes inherit, we prefer to rather use generics.<br> Our type class is nothing but an interface that defines the signature for a given behavior/method leveraging generics.<br> This leaves the concrete implementation open for accommodate different strategies according to the concrete types, or even different strategies for the same time. This idea is probably what makes type classes so powerful: the flexibility to extend them.</p> <p>Our second type class example attempted to illustrate one last perk: type safety at compile time. It did so with a simplified example of the <code>cats</code> core library for type safety equality comparison between objects. If you're not familiar with cats, <a href="https://typelevel.org/cats/">go ahead and give it go</a>. </p> <h2> References </h2> <ul> <li><a href="https://en.wikipedia.org/wiki/Parametric_polymorphism">parametric polymorphism</a></li> <li><a href="https://en.wikipedia.org/wiki/Parametric_polymorphism">ad hoc polymorphism</a></li> <li>Jason McClellan on the <a href="https://dev.to/jmcclell/inheritance-vs-generics-vs-typeclasses-in-scala-20op">different types of polymorphism and where type classes fit</a> </li> <li><a href="https://typelevel.org/cats/">cats core library</a></li> <li> <a href="https://github.com/mklabs-io/scala-type-classes-intro">repo code for this blog post</a> </li> </ul> scala functional programming Roko Romic Thu, 17 Jun 2021 11:44:12 +0000 https://dev.to/mklabs/bootstrapping-a-startup-on-aws-with-aws-serverless-and-go-14og https://dev.to/mklabs/bootstrapping-a-startup-on-aws-with-aws-serverless-and-go-14og <p>In this article we wanted to share an overview of a recent project to build a logistics platform from scratch using AWS cloud, Go and serverless. Yes, there is already a great abundance of blog posts focusing on all of these individual technologies. What we find often lacks is how to glue all of those together, which is exactly what we describe in this post. <br> <a href="https://github.com/mklabs-io/aws-serverless-go-blog-post" rel="noopener noreferrer">Here</a> is our full code supporting this blog post.</p> <h5> Pre-Requisites </h5> <p>If you want to try to play around with our examples, you'll need to set up those things in case you don't have already set it up:</p> <ul> <li>AWS account</li> <li>AWS CLI</li> <li>AWS SAM CLI</li> <li>Terraform </li> <li>Docker </li> <li>Make</li> <li>AWS VPC</li> <li>AWS S3 buckets</li> </ul> <p>To be able to completely follow up an article, some basic understanding of those tools and frameworks would be nice, but it's not required.<br> The concept of this post and examples is to give you an idea how you can set up your own architecture and use those techniques. </p> <h2> Overview - architecture </h2> <p>So basically our architecture consists of:</p> <ul> <li>AWS Lambdas - Go runtime running our business logic</li> <li>AWS S3 buckets - for hosting frontend and Terraform backend configuration</li> <li>AWS RDS (Postgres version 12) - instance for storing business related data</li> <li>AWS DynamoDB - used for Terraform locking mechanism, preventing multiple users to apply simultaneously</li> <li>AWS SSM - used to connect to our RDS instance within private VPC to be able to monitor and to maintain data</li> <li>AWS Cognito - used for identity management and authentication</li> <li>Terraform and AWS SAM (Serverless Application Model) as glue to keep all states synced and up-to-date</li> </ul> <p>From an outside networking point of view, we decided to go with <a href="https://www.cloudflare.com/" rel="noopener noreferrer">cloudflare</a> as a DNS service. The main benefit of using cloudflare is it’s <strong>DDoS protection</strong>. The experiences that we had previously with cloudflare were very good, so it was logical to stay with cloudflare. Most of all, adding and maintaining DNS records, we found to be user friendly even for one’s without a networking background. <br> With this feature on, one thing less to think about while designing a solution. Last awesomeness is that <a href="https://www.cloudflare.com/" rel="noopener noreferrer">Cloudflare</a> solutions/features (such as automatically setting up SSL certificates for our (sub)domains) are completely <strong>free</strong>.</p> <p>The whole project is handled by the GitLab CI/CD pipeline. <br> You can get free minutes on Gitlab to run your own CI/CD pipelines, when it comes to small projects, this is a fair deal. </p> <p>You can see in the next picture how we designed a solution for the project. <br> This illustration represents an overview of the technical solution.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkf3z9v7pd8beozbkfhwp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkf3z9v7pd8beozbkfhwp.png" alt="Alt Text"></a></p> <h2> Programming Language </h2> <p>Regarding the programming language choice, Go seemed like an easy choice: low memory footprint (allowing thin run times), fast startup times, static typing, and ease of usage and readability. A lot of work in this platform involved integration with different partners, so the simplicity in Go’s concurrency model was also a big appeal. <br> Regarding ORM side of things, in the <a href="https://mkops.io" rel="noopener noreferrer">mkops</a> project this was handled by a java 11 backend based on spring boot and hibernate, and go was a pure stateless supporting microservice. This time we had a chance to dive into <a href="https://gorm.io/index.html" rel="noopener noreferrer">GORM</a> to model our entities persisted on a Postgres 12. </p> <h2> Serverless model </h2> <p>Due to the nature of most of our projects (related to big data), our default infrastructure goto platform is kubernetes. Here, however, a serverless model for the API provided a quite nice fit.<br> After reviewing all the workflows that needed to happen, it was clear to us: the logistics platform would be heavy on the background processes that integrate between different platforms that could be started in a cron fashion. The database provided all state locking required, so the processes could run independently and without communicating to each other. <br> Another argument was the relative low amount of user traffic expected. The cost and administration effort of running a standalone and permanent fargate instance (ECS/EKS) did not add up.<br> In summary, the motives for our choice are much of the usual suspects: low administration effort, higher security due to ephemeral nature, and lower operating costs. </p> <p>In order to provide a seamless local development environment AWS provides a cool framework named AWS SAM. It allows you to run AWS Lambdas locally, and, most importantly, with an option to easily create the relevant Service events like API Gateway. So our solution for running things locally and for testing involved Docker with <a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy.html" rel="noopener noreferrer">SAM template</a> and of course <a href="https://github.com/localstack/localstack" rel="noopener noreferrer">Localstack</a> for simulating other AWS resources that we were using, such as <code>AWS SES, AWS S3 and AWS SecretManager</code>. </p> <h2> AWS SAM </h2> <p>In the spirit of keeping low a maintenance effort while having a speedy implementation, we decided to start by considering serverless frameworks. The two main options boiled down to <em>AWS SAM</em> or <em>the Serverless Framework</em>. <br> The main difference between the two is that Serverless is used to deploy FaaS (Function as a Service) functions with support for different providers. SAM, on the other hand, is used specifically for AWS as a cloud provider, deploying not only cloud functions but also the (minimum) underlying infrastructure to expose some business logic with an HTTP Endpoint.</p> <p>AWS SAM allows us to spin up (most) of the resources it manages locally, including Lambdas and the API Gateway. With this in mind, it made it easier for us to develop and test Lambda functions before deploying them to AWS. </p> <p>We were fairly set on using AWS as a cloud provider, which helped our decision to go for AWS SAM. </p> <p>AWS SAM follows a <a href="https://www.redhat.com/en/topics/automation/what-is-infrastructure-as-code-iac#:~:text=A%20declarative%20approach%20also%20keeps,executed%20in%20the%20correct%20order." rel="noopener noreferrer">declarative</a> approach for defining the stack and makes use of a command line utility to deploy: resources are declared in one key file called <code>template.yaml</code>. More details on the anatomy of the AWS SAM template <a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy.html" rel="noopener noreferrer">here</a>. </p> <p>Under the hood, AWS SAM is an oversimplified version of CloudFormation albeit very similar. Resources declared in the <code>template.yaml</code> get automatically converted, by the <a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html" rel="noopener noreferrer">sam cli</a> to CloudFormation so it’s very easy to inspect what exactly is getting created on our behalf.</p> <p>After installing <code>sam cli</code> for your operating system, these are the commands that you will need to create AWS resources are:</p> <ul> <li>sam package --template-file template.yaml --s3-bucket <em>your_s3_bucket</em> --output-template-file package.yaml</li> <li>sam deploy --template-file package.yaml --stack-name <em>your_stack_name</em> --capabilities CAPABILITY_IAM</li> </ul> <p>sam package is used for converting the <code>template.yaml</code> into deployable artifacts as well as uploading said artifacts to an AWS S3 bucket. It’s important to note that this bucket needs to be created beforehand.<br> An important caveat to these deployments to note is that there is a hard limit of how much your total package size can be: <strong>250MB</strong>. Meaning, if you have multiple lambdas defined, and their total size exceeds the limit, SAM will throw an error. If you are tempted to create an individual function for each endpoint, then it’s likely you will reach this limit quite fast. One way to solve this, is to use your lambas as docker images (a recent feature of Lambdas, where the hard limit is 10GB),upload it to AWS ECR and reference it in the SAM template or mount EFS volumes within Lambda. More details you can find <a href="https://lumigo.io/blog/package-your-lambda-function-as-a-container-image/" rel="noopener noreferrer">here</a>. <strong>Another way</strong> is to write a single lambda with its own router and point all traffic there (read more for an example).<br> The output generated from command <code>sam package</code> is the input template file for next command, <code>sam deploy</code>. <br> To delete your resources created by AWS SAM run following command:<br> <code>aws cloudformation delete-stack --stack-name *your_stack_name*</code><br> Here is an example of the AWS SAM template.yaml file. The file is used to create AWS resources like AWS Lambda, and API Gateway with Custom domain through which lambda will be exposed on the Internet. <br> We’re setting up a Custom domain for API Gateway to be exposed to the Internet over a user-friendly domain name, instead of a generic one created by AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s">2010-09-09</span> <span class="na">Transform</span><span class="pi">:</span> <span class="s">AWS::Serverless-2016-10-31</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">TargetStage</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev/prd"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">AcmCertificateArn</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">VPCSecurityGroupIDs</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">An</span><span class="nv"> </span><span class="s">comma-delimited</span><span class="nv"> </span><span class="s">list</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">strings</span><span class="nv"> </span><span class="s">-</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">security</span><span class="nv"> </span><span class="s">groups</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">your</span><span class="nv"> </span><span class="s">Lambda</span><span class="nv"> </span><span class="s">function</span><span class="nv"> </span><span class="s">should</span><span class="nv"> </span><span class="s">be</span><span class="nv"> </span><span class="s">in"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">CommaDelimitedList</span> <span class="na">VPCSubnetIDs</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">An</span><span class="nv"> </span><span class="s">comma-delimited</span><span class="nv"> </span><span class="s">list</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">strings</span><span class="nv"> </span><span class="s">-</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">subnet</span><span class="nv"> </span><span class="s">IDs</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">your</span><span class="nv"> </span><span class="s">Lambda</span><span class="nv"> </span><span class="s">function</span><span class="nv"> </span><span class="s">should</span><span class="nv"> </span><span class="s">be</span><span class="nv"> </span><span class="s">assigned</span><span class="nv"> </span><span class="s">to"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">CommaDelimitedList</span> <span class="na">Globals</span><span class="pi">:</span> <span class="na">Api</span><span class="pi">:</span> <span class="na">Cors</span><span class="pi">:</span> <span class="na">AllowMethods</span><span class="pi">:</span> <span class="s2">"</span><span class="s">'GET,</span><span class="nv"> </span><span class="s">POST,</span><span class="nv"> </span><span class="s">PUT,</span><span class="nv"> </span><span class="s">OPTIONS,</span><span class="nv"> </span><span class="s">DELETE'"</span> <span class="na">AllowHeaders</span><span class="pi">:</span> <span class="s2">"</span><span class="s">'*'"</span> <span class="na">AllowOrigin</span><span class="pi">:</span> <span class="s2">"</span><span class="s">'*'"</span> <span class="na">Function</span><span class="pi">:</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">go1.x</span> <span class="na">Tracing</span><span class="pi">:</span> <span class="s">Active</span> <span class="c1"># https://docs.aws.amazon.com/lambda/latest/dg/lambda-x-ray.html</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">VpcConfig</span><span class="pi">:</span> <span class="na">SecurityGroupIds</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">VPCSecurityGroupIDs</span> <span class="na">SubnetIds</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">VPCSubnetIDs</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">ApiDetails</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Api</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">StageName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TargetStage</span> <span class="na">Auth</span><span class="pi">:</span> <span class="na">UsagePlan</span><span class="pi">:</span> <span class="na">CreateUsagePlan</span><span class="pi">:</span> <span class="s">PER_API</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Usage plan for this API</span> <span class="na">Quota</span><span class="pi">:</span> <span class="na">Limit</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">Period</span><span class="pi">:</span> <span class="s">MONTH</span> <span class="na">Throttle</span><span class="pi">:</span> <span class="na">BurstLimit</span><span class="pi">:</span> <span class="m">50</span> <span class="na">RateLimit</span><span class="pi">:</span> <span class="m">20</span> <span class="na">ApiDomain</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ApiGateway::DomainName</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RegionalCertificateArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AcmCertificateArn</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DomainName</span> <span class="na">EndpointConfiguration</span><span class="pi">:</span> <span class="na">Types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">REGIONAL</span> <span class="na">SecurityPolicy</span><span class="pi">:</span> <span class="s">TLS_1_2</span> <span class="na">ApiDomainMappings</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ApiGateway::BasePathMapping</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DomainName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DomainName</span> <span class="na">RestApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ApiDetails</span> <span class="na">Stage</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ApiDetails.Stage</span> <span class="na">EchoFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">bin/echo-sample</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">128</span> <span class="na">Events</span><span class="pi">:</span> <span class="na">AllEvents</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Api</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">any</span> <span class="na">RestApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ApiDetails</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">ApiCustomDomainRegionalDomainName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Regional</span><span class="nv"> </span><span class="s">domain</span><span class="nv"> </span><span class="s">name</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">API'</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ApiDomain.RegionalDomainName</span> </code></pre> </div> <p>As you can see in example, there are some sections defined like <code>Parameters, Globals, Resources, Outputs</code>. More details about each section you can read <a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy.html" rel="noopener noreferrer">here</a>.<br> To set up some parameters or override them, you can use option <code>--parameter-overrides</code> for aws sam deploy command. Like an example: <code>sam deploy --stack-name test--template-file packaged.yaml --capabilities CAPABILITY_IAM --parameter-overrides TargetStage=dev</code>, where we’re setting to parameter <code>TargetStage</code> a value <code>dev</code>.<br> The section of interest is the <code>Resource</code>: this is where we describe how our API Gateway, <code>Custom Domain</code> used for API Gateway and our simple Lambda should look like.</p> <p>It’s also worthwhile mentioning that, for each API, you can define an <strong>Invocation Quota</strong> which can be both (1) a way to protect your deployment and (2) avoid cost escalation.<br> In this example we’re setting API Gateway to Custom Domain. To do so, we’re defining two resources: <code>ApiDomain</code> and <code>ApiDomainMappings</code>. To completely set up a custom domain on API Gateway you have to be an owner of that domain and it doesn’t need to be registered on AWS Route53 - it can be any DNS Registrar. We’re using Cloudflare as our DNS Registrar, so in this example we will use the same DNS.<br> Next step is to create an ACM certificate. <a href="https://aws.amazon.com/certificate-manager/" rel="noopener noreferrer">AWS Certificate Manager (ACM)</a> is a service that provisions and manages SSL certificates on AWS. This is a prerequisite if we want to do anything custom domain related in API Gateway. <code>Note: you have to create an ACM certificate in the same AWS region as your API Gateway will be, if you are using an API endpoint type as regional as we do in our example</code>.<br> In our case, we’re using Cloudflare, and our domain is registered on Cloudflare service. In that case, we're going to need to create an SSL certificate on Cloudflare and import that one into AWS ACM. <br> <a href="https://developers.cloudflare.com/ssl/origin-configuration/origin-ca" rel="noopener noreferrer">Here</a> is a blog post from Cloudflare which can help you to create a certificate, it’s pretty straightforward. After successfully creating an origin certificate, you need to store the <strong>origin certificate</strong> and <strong>private key</strong> generated for you in <em>PEM</em> format. You will need this data for importing the certificate into AWS ACM. Note if you don’t save a private key and exit from the page with the generated one, you won’t be able to retrieve it again. In that case you will have to first revoke the certificate and then create a new one again.<br> To import an existing origin certificate published by Cloudflare, follow these <a href="(https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html)">instructions</a>. <br> Save the newly generated ARN key of the imported certificate, you will assign it in the SAM template in resource <code>ApiDomain</code>. </p> <p>Note that your custom <strong>DomainName</strong> property in resource <strong>ApiDomain</strong> must match the one that was added in the ACM certificate, otherwise it won't be created. In this example we’re using an SSL certificate for <em>api-test.your.domain.com</em>, so we have to set the parameter <strong>DomainName</strong> exactly like that subdomain.</p> <p>The last thing to set up for API Gateway and custom domain is to define resource <code>ApiDomainMappings</code>. Basically it will allow us to point the custom domain at an existing API Gateway. It’s a simple mapping that lets us point API stages at specific paths. This is a useful feature if you have multiple APIs making up a suite that you want behind a shared domain.</p> <p>We ran into an issue while setting up <strong>Stage</strong> property. At first we tried to simply add value as reference to Parameter <code>Stage: !Ref TargetStage</code>, but we got a strange error saying &gt;“Invalid stage identifier specified”. After some digging we found a github topic with the same problem. <br> The problem lies in that creating a Stage resource is outside of the SAM template and with just referencing it to name will fail, because the resource <code>ApiDomainMappings</code> it’s being created before resource Stage. Thanks to fellows on github, <a href="https://github.com/aws/serverless-application-model/issues/192#issuecomment-520893111" rel="noopener noreferrer">this</a> suggestion worked. <br> So we changed Stage property to: <code>Stage: !Ref ApiDetails.Stage</code>. </p> <p>The very last thing to finish setting up API Gateway is to update over DNS with new records pointing to the domain name of API Gateway generated by AWS. <br> Generic domain name looks like <em><a href="https://api-id.execute-api.region.amazonaws.com/stage" rel="noopener noreferrer">https://api-id.execute-api.region.amazonaws.com/stage</a></em>, where <strong>api-id</strong> is generated by API Gateway, region (AWS Region) is specified by you when creating the API, and stage is specified by you when deploying the API.</p> <p>All you have to do is to login to your Cloudflare account and add a new <code>CNAME</code> record with a subdomain that matches the one you decided to add into the SAM template in <code>DomainName</code> parameter and pointing to the generated domain name of your API Gateway. </p> <p>With this set up, you just provide to your developers newly created user-friendly REST API endpoint (exp. <a href="https://app-test.your-domain.com/stage" rel="noopener noreferrer">https://app-test.your-domain.com/stage</a>).<br> If you want to avoid manually adding new DNS records to your Cloudflare provider, this is an example of how we managed to automate adding new records to Cloudflare.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"get_api_gateway_endpoint"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="nx">sha1</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"../../../backend/template.yaml"</span><span class="p">))</span> <span class="nx">stack_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">stack_name</span> <span class="p">}</span> <span class="k">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">interpreter</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"bash"</span><span class="p">,</span> <span class="s2">"-c"</span><span class="p">]</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws cloudformation describe-stacks --stack-name </span><span class="k">${</span><span class="nx">self</span><span class="p">.</span><span class="nx">triggers</span><span class="p">.</span><span class="nx">stack_name</span><span class="k">}</span><span class="s2"> | jq '.Stacks[0].Outputs[0].OutputValue'| sed 's/</span><span class="se">\"</span><span class="s2">//g' &gt; </span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/gateway_endpoint.txt"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">null_resource</span><span class="p">.</span><span class="nx">build_deploy_sam_resource</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>In this part, we used null_resource to call aws command <code>aws cloudformation describe-stacks</code> to get <strong>API Gateway domain name</strong> (we defined Output section in the AWS SAM template as what it should look like) and store it in file. With <em>sed</em> command we’re stripping away <em>https://</em> from domain name, and only leaving domain name that we going to add to new DNS record.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"local_file"</span> <span class="s2">"api_gateway_endpoint"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/gateway_endpoint.txt"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">null_resource</span><span class="p">.</span><span class="nx">get_api_gateway_endpoint</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_record"</span> <span class="s2">"api_gateway_endpoint"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="k">data</span><span class="p">.</span><span class="nx">local_file</span><span class="p">.</span><span class="nx">api_gateway_endpoint</span><span class="p">]</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">subdomain_name_backend</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">local_file</span><span class="p">.</span><span class="nx">api_gateway_endpoint</span><span class="p">.</span><span class="nx">content</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">proxied</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">cloudflare_zones</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">zones</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="s2">"id"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Using Terraform resource cloudflare_record, we set the value as content of the file that we generated above (it’s value where our CNAME record will point to), and the name value represents the subdomain that we want to use for our REST API endpoint. </p> <p>The last resource defined in the SAM template example is our lambda <strong>EchoFunction</strong>.<br> Key things to keep in mind is to set up a lambda handler (pointing to Go executable file located in our project structure) and events (defining what kind of type will trigger our lambda). <br> In this example we are using the API as a trigger for our lambda.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">Type</span><span class="pi">:</span> <span class="s">Api</span> <span class="s">Properties</span><span class="err">:</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/{proxy+}</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">any</span> <span class="na">RestApiId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ApiDetails</span> </code></pre> </div> <p>As you can see, we defined that any path and method can trigger our lambda over API Gateway that we had previously created. With this approach and with using this <a href="https://github.com/awslabs/aws-lambda-go-api-proxy" rel="noopener noreferrer">solution</a> with the Go Echo framework, we reduced the number of lambdas (also with this approach we solved the problem with a hard limit of total size that all lambdas can have). Using the aws-lambda-go-api-proxy with echo framework we defined a REST controller that is managing real paths and methods that our lambda consumes.</p> <p>Note, if your lambda needs more permissions to access some other AWS resources, you can set up Role property. One way you can create a role with Terraform and then create a property in the SAM template to pass it ARN of the created role and reference it to Role property. <br> <strong>Another way</strong> is to create a role inside of a SAM template and reference it to the Role property.</p> <p>To expose your lambda over API Gateway the last thing to do is to enable, you already guess, <code>CORS</code>. To do so, all you have to is to define <em>CORS</em> section in the SAM template. In our case we set up as globals, so our API Gateway will automatically have CORS enabled.<br> Even with enabled CORS on API Gateway, you still have to handle in your lambda CORS headers, otherwise invocation of your lambda will not work. </p> <p>With the Echo framework we created CORS middlerware to make our lambda functional. <br> Here is an example how to do it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">e</span> <span class="o">:=</span> <span class="n">echo</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="n">e</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">CORSWithConfig</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">CORSConfig</span><span class="p">{</span> <span class="n">AllowOrigins</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"*"</span><span class="p">},</span> <span class="n">AllowMethods</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="n">echo</span><span class="o">.</span><span class="n">GET</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">PUT</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">POST</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">DELETE</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">OPTIONS</span><span class="p">},</span> <span class="n">AllowHeaders</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"Content-Length"</span><span class="p">,</span> <span class="s">"Accept-Encoding"</span><span class="p">,</span> <span class="s">"X-CSRF-Token"</span><span class="p">,</span> <span class="s">"Authorization"</span><span class="p">},</span> <span class="p">}))</span> </code></pre> </div> <h2> AWS Lambda </h2> <p>Lambda is the Serverless computing platform service provided on AWS. Using a Lambda function you can run or execute your application code without actually provisioning any application servers.</p> <p>Since December of 2020, AWS has increased memory that can be assigned to lambda function to max 10GB and increased the number of vCPU to allocate to max 6 vCPU. <br> Also a new cool feature is that you can now package and deploy Lambda functions as container images of up to 10 GB in size. If you have some big lambda function with huge dependencies, you can then easily use this approach to solve the situation where your lambda handler can have a max file size of 250MB.</p> <p>The way we approach this hard limit, we used the <a href="https://github.com/awslabs/aws-lambda-go-api-proxy" rel="noopener noreferrer">aws-lambda-go-api-proxy</a> solution to <strong>packt</strong> multiple lambas into one. Basically this solution allows us to use one lambda to handle multiple methods or paths for one API Gateway, so we don’t need to have multiple lambdas for each path or method. It makes it easier to maintain a code base. </p> <p>Very cool thing is, if you have already developed your REST API with <code>Echo framework</code> or some other like <code>Gin, Iris, Negroni, Mux, Fiber or Chi</code> and you’re planning to move to serverless (AWS Lambda, GCP Cloud Function, ...) you can easily achieve it by using <a href="https://github.com/awslabs/aws-lambda-go-api-proxy" rel="noopener noreferrer">this</a> solution.<br> If usage goes up and it becomes price prohibitive, it's a one line change to swap it to a container &amp; run via AWS services like Fargate, ECS.</p> <p>In the next example we’ll show you how to use the Echo framework with aws-lambda-go-api-proxy to achieve the solution of having one lambda function for multiple paths and methods. <br> We have defined two paths, <strong>/user</strong> and <strong>/organization</strong>, with two supported methods each.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"net/http"</span> <span class="s">"github.com/aws/aws-lambda-go/events"</span> <span class="s">"github.com/aws/aws-lambda-go/lambda"</span> <span class="n">echoadapter</span> <span class="s">"github.com/awslabs/aws-lambda-go-api-proxy/echo"</span> <span class="s">"github.com/labstack/echo/v4"</span> <span class="s">"github.com/labstack/echo/v4/middleware"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">UserData</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">UserId</span> <span class="kt">string</span> <span class="s">`json:"userId"`</span> <span class="n">DisplayName</span> <span class="kt">string</span> <span class="s">`json:"displayname"`</span> <span class="n">Status</span> <span class="kt">string</span> <span class="s">`json:"status"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">User</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">User</span> <span class="n">UserData</span> <span class="s">`json:"user"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">OrganizationData</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">OrganizationId</span> <span class="kt">string</span> <span class="s">`json:"organizationId"`</span> <span class="n">DisplayName</span> <span class="kt">string</span> <span class="s">`json:"displayname"`</span> <span class="n">Status</span> <span class="kt">string</span> <span class="s">`json:"status"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Organization</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Organization</span> <span class="n">OrganizationData</span> <span class="s">`json:"organization"`</span> <span class="p">}</span> <span class="k">var</span> <span class="n">echoLambda</span> <span class="o">*</span><span class="n">echoadapter</span><span class="o">.</span><span class="n">EchoLambda</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">e</span> <span class="o">:=</span> <span class="n">echo</span><span class="o">.</span><span class="n">New</span><span class="p">()</span> <span class="c">//define routes</span> <span class="n">registerUserRoutes</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="n">registerOrganizationRoutes</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="c">//define CORS</span> <span class="n">e</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">CORSWithConfig</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">CORSConfig</span><span class="p">{</span> <span class="n">AllowOrigins</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"*"</span><span class="p">},</span> <span class="n">AllowMethods</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="n">echo</span><span class="o">.</span><span class="n">GET</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">PUT</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">POST</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">DELETE</span><span class="p">,</span> <span class="n">echo</span><span class="o">.</span><span class="n">OPTIONS</span><span class="p">},</span> <span class="n">AllowHeaders</span><span class="o">:</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"Content-Length"</span><span class="p">,</span> <span class="s">"Accept-Encoding"</span><span class="p">,</span> <span class="s">"X-CSRF-Token"</span><span class="p">,</span> <span class="s">"Authorization"</span><span class="p">},</span> <span class="p">}))</span> <span class="n">e</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middleware</span><span class="o">.</span><span class="n">Logger</span><span class="p">())</span> <span class="n">echoLambda</span> <span class="o">=</span> <span class="n">echoadapter</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">handler</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">events</span><span class="o">.</span><span class="n">APIGatewayProxyRequest</span><span class="p">)</span> <span class="p">(</span><span class="n">events</span><span class="o">.</span><span class="n">APIGatewayProxyResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">echoLambda</span><span class="o">.</span><span class="n">ProxyWithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">lambda</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">handler</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">registerUserRoutes</span><span class="p">(</span><span class="n">e</span> <span class="o">*</span><span class="n">echo</span><span class="o">.</span><span class="n">Echo</span><span class="p">)</span> <span class="p">{</span> <span class="n">user</span> <span class="o">:=</span> <span class="n">e</span><span class="o">.</span><span class="n">Group</span><span class="p">(</span><span class="s">"/user"</span><span class="p">)</span> <span class="n">user</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">getUser</span><span class="p">)</span> <span class="n">user</span><span class="o">.</span><span class="n">POST</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">createUser</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">registerOrganizationRoutes</span><span class="p">(</span><span class="n">e</span> <span class="o">*</span><span class="n">echo</span><span class="o">.</span><span class="n">Echo</span><span class="p">)</span> <span class="p">{</span> <span class="n">organization</span> <span class="o">:=</span> <span class="n">e</span><span class="o">.</span><span class="n">Group</span><span class="p">(</span><span class="s">"/organization"</span><span class="p">)</span> <span class="n">organization</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">getOrganization</span><span class="p">)</span> <span class="n">organization</span><span class="o">.</span><span class="n">PUT</span><span class="p">(</span><span class="s">""</span><span class="p">,</span> <span class="n">updateOrganization</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">getUser</span><span class="p">(</span><span class="n">c</span> <span class="n">echo</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">User</span><span class="p">{</span> <span class="n">User</span><span class="o">:</span> <span class="n">UserData</span><span class="p">{</span><span class="n">UserId</span><span class="o">:</span> <span class="s">"1"</span><span class="p">,</span> <span class="n">DisplayName</span><span class="o">:</span> <span class="s">"Test"</span><span class="p">,</span> <span class="n">Status</span><span class="o">:</span> <span class="s">"active"</span><span class="p">},</span> <span class="p">})</span> <span class="p">}</span> <span class="k">func</span> <span class="n">createUser</span><span class="p">(</span><span class="n">c</span> <span class="n">echo</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">User</span><span class="p">{</span> <span class="n">User</span><span class="o">:</span> <span class="n">UserData</span><span class="p">{</span><span class="n">UserId</span><span class="o">:</span> <span class="s">"2"</span><span class="p">,</span> <span class="n">DisplayName</span><span class="o">:</span> <span class="s">"Test2"</span><span class="p">,</span> <span class="n">Status</span><span class="o">:</span> <span class="s">"created"</span><span class="p">},</span> <span class="p">})</span> <span class="p">}</span> <span class="k">func</span> <span class="n">getOrganization</span><span class="p">(</span><span class="n">c</span> <span class="n">echo</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">Organization</span><span class="p">{</span> <span class="n">Organization</span><span class="o">:</span> <span class="n">OrganizationData</span><span class="p">{</span> <span class="n">OrganizationId</span><span class="o">:</span> <span class="s">"1"</span><span class="p">,</span> <span class="n">DisplayName</span><span class="o">:</span> <span class="s">"Test organization"</span><span class="p">,</span> <span class="n">Status</span><span class="o">:</span> <span class="s">"active"</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="p">}</span> <span class="k">func</span> <span class="n">updateOrganization</span><span class="p">(</span><span class="n">c</span> <span class="n">echo</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">return</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="n">Organization</span><span class="p">{</span> <span class="n">Organization</span><span class="o">:</span> <span class="n">OrganizationData</span><span class="p">{</span> <span class="n">OrganizationId</span><span class="o">:</span> <span class="s">"1"</span><span class="p">,</span> <span class="n">DisplayName</span><span class="o">:</span> <span class="s">"Test organization"</span><span class="p">,</span> <span class="n">Status</span><span class="o">:</span> <span class="s">"updated"</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>This simple lambda function is returning a JSON response in case you have sent a request to the correct path using the correct method.</p> <p>One cool way of using AWS Lambda is for running migration codes. AS mentioned earlier, we are using GORM as an ORM library for modeling and interacting with RDS-based Postgres. <br> GORM has the ability to define data models which represent database tables with appropriate constraints, which allows us to have a dedicated Lambda that runs migration/creations of resources (such as tables, indexes, constraints, pre-populated data, etc) in the database without the need to maintain incremental SQL scripts. If you are curious about GORM checkout their documentation <a href="https://gorm.io/docs/migration.html" rel="noopener noreferrer">here</a> (bonus: major version 2 was recently released with some very nice improvements).</p> <h2> Local testing </h2> <p>To test our lambda functions locally we’re using <code>Docker</code> and <code>AWS SAM</code>. <br> As we’re using Go runtime environment for our lambda functions, we have defined Docker file with Go base image and also installed <code>awscli</code> and <code>asw-sam-cli</code> tools.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> golang:1.15</span> <span class="k">RUN </span>apt-get update <span class="k">RUN </span>apt-get <span class="nb">install </span>python3 python3-pip <span class="nt">-y</span> <span class="k">RUN </span>pip3 <span class="nb">install</span> <span class="nt">--upgrade</span> pip <span class="k">RUN </span>pip3 <span class="nb">install </span>awscli <span class="k">RUN </span>pip3 <span class="nb">install </span>aws-sam-cli<span class="o">==</span>1.12 <span class="k">WORKDIR</span><span class="s"> /var/opt</span> <span class="k">EXPOSE</span><span class="s"> 3003</span> </code></pre> </div> <p>Next step is to create a <code>docker-compose</code> service that will use our docker base image defined in <code>Dockerfile</code>, and serve our Lambda function with an API Gateway-like local deployment.<br><br> In <code>docker-compose</code> service we’re mounting our backend folder which includes SAM <em>template.yaml</em> and the lambda executable. To run a lambda function with API Gateway defined in <em>template.yaml</em>, all you have to do is to define <strong>an entrypoint</strong> to use SAM command <code>sam local start-api</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.5"</span> <span class="na">services</span><span class="pi">:</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./backend</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">image</span><span class="pi">:</span> <span class="s">backend:local</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock</span> <span class="pi">-</span> <span class="s">./backend:/var/opt</span> <span class="na">working_dir</span><span class="pi">:</span> <span class="s">/var/opt</span> <span class="na">environment</span><span class="pi">:</span> <span class="c1"># don’t share statistics usage with AWS</span> <span class="na">SAM_CLI_TELEMETRY</span><span class="pi">:</span> <span class="m">0</span> <span class="na">LOG_LEVEL</span><span class="pi">:</span> <span class="s">DEBUG</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3003:3003"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sample</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/bash</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">sam local start-api \</span> <span class="s">--host 0.0.0.0 -p 3003 \</span> <span class="s">--docker-volume-basedir "$PWD"/backend \</span> <span class="s">--docker-network sample</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">sample</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sample</span> </code></pre> </div> <p>To start local development api, just use command <code>docker-compose up</code>, or our make command <code>make up-be</code>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbvh4eaekjpko4wslojv9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbvh4eaekjpko4wslojv9.png" alt="Alt Text"></a></p> <p>The API is now ready to be tested.</p> <p>If you try to run a simple curl command <code>curl http://localhost:3003/user</code> you will get a response from the api.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F06r89zy7g0jjmme55746.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F06r89zy7g0jjmme55746.png" alt="Alt Text"></a></p> <p>Cool thing about using SAM local command in combo with docker-compose, is that you can easily define new docker-compose services like postgres, localstack (simulate other AWS services) or frontend and connect your lambda function to those services. <br> This approach allows us to have a full local development cycle without the need to deploy to AWS to test.</p> <h2> Terraform </h2> <p>Terraform is a general purpose infrastructure as code tool that can create infrastructure on different cloud providers like AWS, GCP, AZURE and Oracle Cloud Infrastructure.<br> Besides support for cloud providers, terraform has support for plenty of different kinds of providers, such as Cloudflare, Helm, etc. <br> If interested, you can find a full list of supported providers <a href="https://registry.terraform.io/browse/providers" rel="noopener noreferrer">here</a>.<br> Having the very useful modules system, it's relatively straightforward to deploy large infrastructures to any kind of cloud provider.</p> <p>We start with Terraform, as it is the glue for all these services and frameworks; not just because we’re big fans of it. In practice we are stitching AWS and Cloudflare together; and, in a clunky way, AWS SAM. Yes, by far not our favorite solution, using <code>null_resource</code>.</p> <p>At the moment of writing this post there is no better option to run AWS SAM via Terraform, or at least we couldn’t find one. Hoping in future Terraform will support creating SAM resources directly within a native provider. </p> <p>To glue things up, we go with the previous release of Terraform, at the moment of writing it was version 0.12. To find out some cool features that were released with this version or newer versions, you can read about in our blog post <a href="https://dev.to/mklabs/terraforming-in-2021-new-features-testing-and-compliance-17ho">here</a>. </p> <p>If you take a closer look at our architecture, you’ll notice that Terraform is responsible directly or indirectly for managing all resources that run on AWS. <br> It’s directly responsible for creating <code>AWS VPC, AWS RDS, AWS Cognito, AWS S3 buckets, AWS DynamoDB, AWS CloudFront distribution, AWS SSM and Cloudflare DNS records</code>. <br> Indirectly, it’s responsible for creating AWS Lambdas, AWS API Gateway. Meaning that the creation of those resources is managed by AWS SAM cli, defined by SAM template via a <code>null_resouce</code>. </p> <p>To manage different stages, we’re using the <strong>Terraform workspaces</strong>. We choose a strategy of naming Terraform workspaces by names of our branches, allowing us to have simple flow, mostly because of managing resources by Gitlab CI/CD.</p> <p>Below follows an example of how you could deploy SAM resources using a <code>null_resource</code> within your Terraform scripts. Essentially, you need to run both <code>package</code> and <code>deploy</code> commands and ensure all parameters (e.g. VPC, SGs, etc.) are injected into the deployment. To ensure the resource is called when the dependent files change, one could use the <code>sha1</code> of template as a trigger (as shown).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"build_deploy_sam_resource"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">s3_bucket</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">s3_bucket_artifacts</span> <span class="nx">template</span> <span class="p">=</span> <span class="nx">sha1</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"../../../backend/template.yaml"</span><span class="p">))</span> <span class="nx">stack_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">stack_name</span> <span class="nx">sec_group_ids</span> <span class="p">=</span> <span class="nx">join</span><span class="p">(</span><span class="s2">","</span><span class="p">,</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">lambda_sg</span><span class="p">.*.</span><span class="nx">id</span><span class="p">)</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">join</span><span class="p">(</span><span class="s2">","</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">)</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">subdomain_name_backend</span><span class="k">}</span><span class="s2">.</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">domain_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">target_stage</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> <span class="k">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">interpreter</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"bash"</span><span class="p">,</span> <span class="s2">"-c"</span><span class="p">]</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> sam package --template-file ${local.template} --s3-bucket ${self.triggers.s3_bucket} --output-template-file ${local.packaged} sam deploy --stack-name ${self.triggers.stack_name} --template-file ${local.packaged} --capabilities CAPABILITY_IAM --parameter-overrides TargetStage=${self.triggers.target_stage} DomainName=${self.triggers.domain_name} VPCSecurityGroupIDs=${self.triggers.sec_group_ids} VPCSubnetIDs=${self.triggers.subnet_ids} AcmCertificateArn=${aws_acm_certificate_validation.backend.certificate_arn} </span><span class="no"> EOT </span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">lambda_sg</span><span class="p">,</span> <span class="nx">aws_acm_certificate_validation</span><span class="p">.</span><span class="nx">backend</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Cron jobs </h2> <p>Another use case we needed to implement required some business logic to run on a schedule, which you can also create easily with SAM - which will create a CloudWatch alarm to trigger the appropriate Lambda. AWS supports two ways of defining scheduled time to trigger some AWS resources. One is to use <strong>cron expression</strong> - in format <code>cron(Minutes Hours Day-of-month Month Day-of-week Year)</code>. Second one is to use <strong>rate expression</strong> - in format <code>rate(Value Unit)</code>, Where Value is a positive integer and Unit can be minute(s), hour(s), or day(s).<br> More details on how to define schedule expressions can be found on the AWS <a href="https://docs.aws.amazon.com/lambda/latest/dg/services-cloudwatchevents-expressions.html" rel="noopener noreferrer">site</a>.</p> <p>Keep in mind that rate expression is being executed when a rule is created. For example, if you set up a scheduler to run every 1 hour using keyword <strong>rate</strong>, <code>rate(1 hour)</code>, the next run time will be the time when your rule was created plus 1 hour. Let's say you created a rule at 10:20 AM, so the next run will occur at 11:20 AM. </p> <p>An example of how to define scheduled resources within the SAM template.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">ScheduledLambda</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Serverless::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">Role</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">bin/scheduled_lambda</span> <span class="na">Events</span><span class="pi">:</span> <span class="na">ScheduleExample</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Schedule</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Schedule</span><span class="pi">:</span> <span class="s">cron(0/30 * * * ? *)</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Example</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">cron</span><span class="nv"> </span><span class="s">jobs</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">runs</span><span class="nv"> </span><span class="s">lambda</span><span class="nv"> </span><span class="s">every</span><span class="nv"> </span><span class="s">30</span><span class="nv"> </span><span class="s">min"</span> </code></pre> </div> <p>The most crucial part to define scheduler is assigning type as Scheduler and setting valid cron or rate values for Schedule properties.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">Events</span><span class="pi">:</span> <span class="na">ScheduleExample</span><span class="pi">:</span> <span class="c1">#custom name of event</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Schedule</span> <span class="c1">#mandatory so AWS SAM can know what kind of event this gonna be</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Schedule</span><span class="pi">:</span> <span class="s">cron(0/30 * * * ? *)</span> </code></pre> </div> <p>Inside the Schedule property you can define your own expressions. <br> <a href="https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-schedule.html" rel="noopener noreferrer">Here</a> is the list of all properties that you can assign to the cloudwatch event resource in the SAM template.</p> <h2> AWS SSM Sessions </h2> <p>After setting up our environment on AWS, we were looking at how to access a database located in a private network. We found <code>System Manager remote sessions</code> service is a very nice solution, because it allows us to have access to private networks without exposing any service publicly. This is great for troubleshooting purposes, accessing our database. <br> Also allowing us easily create a cron job for backuping databases or any kind of extra work that is required for maintenance. </p> <p>To be able to create SSM sessions/tunnels, you need to create an EC2 instance running the <code>SSM Agent</code>. Note that SSM Agent is preinstalled, by default, on Amazon's AMIs. In our case,we used Amazon Linux 2 for convenience Of course, in our case, we are using Terraform to spawn an instance.</p> <p>In the following example, we’ll show you how to create this subset of our stack, including the installation of a Postgres client in the EC2 instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">locals</span> <span class="p">{</span> <span class="c1">// internal user used for admin maintenance tasks</span> <span class="nx">ssm_instance_user</span> <span class="p">=</span> <span class="s2">"example"</span> <span class="nx">ssm_instance_group</span> <span class="p">=</span> <span class="s2">"example"</span> <span class="p">}</span> <span class="cm">/** * SSM instance security group */</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"ssm_instance"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ssm-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow egress from SSM Agent to Internet."</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Name"</span> <span class="p">=</span> <span class="s2">"ssm-sg"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ssm_instance_allow_egress_https"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ssm_instance</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ssm_instance_allow_egress_http"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ssm_instance</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"ssm_instance_default"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ec2.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ssm_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ssm-iam-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">ssm_instance_default</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ssm_instance_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ssm_instance</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"ssm_instance"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ssm-iam-instance-profile"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ssm_instance</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"template_file"</span> <span class="s2">"install_ssm_instance"</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"install-ssm-instance.yaml"</span><span class="p">)</span> <span class="nx">vars</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">ssm_instance_user</span> <span class="nx">group</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">ssm_instance_group</span> <span class="p">}</span> <span class="p">}</span> <span class="cm">/* * Ref: https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/cloudinit_config */</span> <span class="k">data</span> <span class="s2">"template_cloudinit_config"</span> <span class="s2">"ssm_instance_config"</span> <span class="p">{</span> <span class="nx">part</span> <span class="p">{</span> <span class="nx">content_type</span> <span class="p">=</span> <span class="s2">"text/cloud-config"</span> <span class="nx">content</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">install_ssm_instance</span><span class="p">.</span><span class="nx">rendered</span> <span class="p">}</span> <span class="c1">// cloud-init has apparently a 8 year unresolved issue (face-palm) [1], and is unable</span> <span class="c1">// to create users before write_files directive . Thus, we use this hack.</span> <span class="c1">// [1] - https://bugs.launchpad.net/cloud-init/+bug/1486113</span> <span class="nx">part</span> <span class="p">{</span> <span class="nx">content_type</span> <span class="p">=</span> <span class="s2">"text/x-shellscript"</span> <span class="nx">content</span> <span class="p">=</span> <span class="s2">"/usr/bin/install-pg.sh"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"ec2"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-0d712b3e6e1f798ef"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t2.micro"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ssm_instance</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">iam_instance_profile</span> <span class="p">=</span> <span class="nx">aws_iam_instance_profile</span><span class="p">.</span><span class="nx">ssm_instance</span><span class="p">.</span><span class="nx">name</span> <span class="nx">root_block_device</span> <span class="p">{</span> <span class="nx">delete_on_termination</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">20</span> <span class="p">}</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">install_ssm_instance</span><span class="p">.</span><span class="nx">rendered</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Name"</span> <span class="p">=</span> <span class="s2">"ssm-ec2"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Example of template install-ssm-instance.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#cloud-config</span> <span class="c1"># See docs for more details: https://cloudinit.readthedocs.io/en/latest/topics/examples.html</span> <span class="c1"># Upgrade database on first boot (run 'apt-get upgrade').</span> <span class="na">package_upgrade</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">default</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">${user}</span> <span class="na">gecos</span><span class="pi">:</span> <span class="s">${user}</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">/bin/bash</span> <span class="na">primary_group</span><span class="pi">:</span> <span class="s">${group}</span> <span class="na">sudo</span><span class="pi">:</span> <span class="s">ALL=(ALL) NOPASSWD:ALL</span> <span class="na">groups</span><span class="pi">:</span> <span class="s">users, admin</span> <span class="na">lock_passwd</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># download &amp; install following packages</span> <span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">curl</span> <span class="na">write_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">permissions</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0750'</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">root:root</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">#!/bin/bash</span> <span class="s">set -euo pipefail</span> <span class="s">tee /etc/yum.repos.d/pgdg.repo&lt;&lt;EOF</span> <span class="s">[pgdg12]</span> <span class="s">name=PostgreSQL 12 for RHEL/CentOS 7 - x86_64</span> <span class="s">baseurl=https://download.postgresql.org/pub/repos/yum/12/redhat/rhel-7-x86_64</span> <span class="s">enabled=1</span> <span class="s">gpgcheck=0</span> <span class="s">EOF</span> <span class="s">yum makecache</span> <span class="s">yum install -y postgresql12 postgresql12-server</span> <span class="s">chown ${user}:${group} -R /home/${user}/</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/usr/bin/install-pg.sh</span> <span class="na">final_message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">system</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">finally</span><span class="nv"> </span><span class="s">up,</span><span class="nv"> </span><span class="s">after</span><span class="nv"> </span><span class="s">$UPTIME</span><span class="nv"> </span><span class="s">seconds"</span> </code></pre> </div> <p>After setting up an EC2 instance with the installed postgres client, the next step is to connect to the EC2 instance, using the following command.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws ssm start-session --target “instance name” - instance name is you EC2 instance name </code></pre> </div> <p>In case you are having problems remembering the EC2 instance name, you can easily use make command to make it more straightforward. </p> <p>Basically everything that you need is <strong>EC2 tag value</strong>, so using <em>aws cli</em> command to describe EC2 instance filtering by tag will get us the desired instance name.<br> After everything is ready, to get connected to your EC2 instance, all you have to do is run make command.<br> In our example we are calling that command ssm-instance, so running <code>make ssm-instance</code>, you will get to the place you wanted to be :). </p> <p>Here is an example how can you achieve it using make:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nv">SSM_TAG</span><span class="o">=</span>ssm-ec2 <span class="nv">SSM_INSTANCE</span> <span class="o">:=</span> <span class="p">$(</span>shell aws ec2 describe-instances <span class="nt">--filter</span> <span class="s2">"Name=tag:Name,Values=</span><span class="p">$(</span><span class="s2">SSM_TAG</span><span class="p">)</span><span class="s2">"</span> <span class="nt">--query</span> <span class="s2">"Reservations[].Instances[?State.Name == 'running'].InstanceId[]"</span> <span class="nt">--output</span> text<span class="p">)</span> <span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">ssm-instance</span> <span class="nl">ssm-instance</span><span class="o">:</span> <span class="p">@</span><span class="nb">echo </span>Connecting to SSM INSTANCE <span class="p">@</span>aws ssm start-session <span class="nt">--target</span> <span class="p">$(</span>SSM_INSTANCE<span class="p">)</span> </code></pre> </div> <p>The last thing is to verify if the <code>install-pg.sh</code> script has been created on your EC2 instance by the Terraform example above. </p> <p>Just type <code>sudo -s</code> in the terminal and run command <code>./install-pg.sh</code>. Now your postgres client should be downloaded and installed. Voila!<br> To verify that you have successfully installed postgres client, just run command <code>psql</code>.</p> <p>In this example you saw how you can use AWS SSM and the EC2 running instance to get deployed to a private VPC.</p> <h2> Cost </h2> <p>If you are a startup at an early stage, then you should definitely consider applying to the AWS startup program as early as possible. While an AWS VPC itself doesn’t cost anything, it does cost to have the bare minimum resources for it to be production ready (e.g. Private/Public subnets with NAT Gateway). We have set up a <em>VPC</em> with <em>a single NAT</em> and <em>internet gateway</em> as a shared resource for our multiple stages (development, integration, production). We agree it’s not ideal, but for projects at early stages, we were avoiding escalation on expenses - we can all agree on this :). </p> <p>Besides the NAT Gateway, our biggest contributors to cost are of course the encrypted RDS instances <code>db.t2.small</code>. </p> <p>To sum up, this basic (but very functional) setup costs us around 100´euros per month, which is very fair considering we have multiple stages and the encryption used for all possible resources (RDS, S3, secrets).</p> <h2> Cloudflare </h2> <p>There is a bit of a challenge using Cloudflare strict mode with frontend deployed on AWS S3 bucket. Cloudflare's strict mode requires that the origin server needs to have an SSL certificate and in case of using AWS S3 as hosting there is a bit of a problem. <br> As you might know, AWS S3 bucket is publicly exposed only on HTTP protocol. </p> <p>So to overcome this issue, we needed to create an <strong>SSL certificate</strong> on AWS Route53 associated with our publicly exposed AWS S3 bucket, alongside with <code>AWS Cloudfront distribution</code> applying that SSL certificate. Basically AWS Cloudfront distribution allows us to expose AWS S3 buckets over HTTPS protocol. </p> <p>In this example we are creating an ACM certificate for a domain that will be used for our frontend exposed via Cloudfront distribution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"virginia"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> </code></pre> </div> <p>This provider in region <code>us-east-1</code> needs to be defined so an ACM certificate can be created.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_acm_certificate"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">virginia</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">subdomain_name</span><span class="k">}</span><span class="s2">.</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">domain_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">validation_method</span> <span class="p">=</span> <span class="s2">"DNS"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"cloudflare_zones"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_record"</span> <span class="s2">"validation_domain"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">domain_validation_options</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="s2">"resource_record_name"</span><span class="p">]</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">trimsuffix</span><span class="p">(</span><span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">domain_validation_options</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="s2">"resource_record_value"</span><span class="p">],</span> <span class="s2">"."</span><span class="p">)</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">domain_validation_options</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="s2">"resource_record_type"</span><span class="p">]</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">cloudflare_zones</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">zones</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="s2">"id"</span><span class="p">)</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">default</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This resource will create CNAME records in cloudflare DNS to validate our ACM certificate.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_acm_certificate_validation"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">virginia</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">validation_record_fqdns</span> <span class="p">=</span> <span class="nx">cloudflare_record</span><span class="p">.</span><span class="nx">validation_domain</span><span class="p">.*.</span><span class="nx">hostname</span> <span class="p">}</span> </code></pre> </div> <p>Note that certificate validation can take up to 20min, so have some patience.</p> <p>The next part is an example of creating a Cloudfront distribution and exposing it’s generic domain name as a user-friendly one that we will assign in Cloudflare.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_cloudfront_distribution"</span> <span class="s2">"frontend"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">aliases</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">subdomain_name</span><span class="k">}</span><span class="s2">.</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">domain_name</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">is_ipv6_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">// cheapest: https://github.com/laurilehmijoki/s3_website/issues/150</span> <span class="nx">price_class</span> <span class="p">=</span> <span class="s2">"PriceClass_100"</span> <span class="nx">default_cache_behavior</span> <span class="p">{</span> <span class="nx">allowed_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">,</span> <span class="s2">"OPTIONS"</span><span class="p">]</span> <span class="nx">cached_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">target_origin_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">frontend_s3_origin_id</span> <span class="nx">viewer_protocol_policy</span> <span class="p">=</span> <span class="s2">"redirect-to-https"</span> <span class="nx">default_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">forwarded_values</span> <span class="p">{</span> <span class="nx">query_string</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cookies</span> <span class="p">{</span> <span class="nx">forward</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">origin</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">frontennd_s3_origin_domain_name</span> <span class="nx">origin_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">frontend_s3_origin_id</span> <span class="nx">custom_origin_config</span> <span class="p">{</span> <span class="nx">http_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">https_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">origin_keepalive_timeout</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">origin_protocol_policy</span> <span class="p">=</span> <span class="s2">"http-only"</span> <span class="c1">// setting defined after terraform import. can try with https-only</span> <span class="nx">origin_read_timeout</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">origin_ssl_protocols</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"TLSv1"</span><span class="p">,</span> <span class="s2">"TLSv1.1"</span><span class="p">,</span> <span class="s2">"TLSv1.2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">restrictions</span> <span class="p">{</span> <span class="nx">geo_restriction</span> <span class="p">{</span> <span class="nx">restriction_type</span> <span class="p">=</span> <span class="s2">"none"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">viewer_certificate</span> <span class="p">{</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">aws_acm_certificate_validation</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">certificate_arn</span> <span class="nx">cloudfront_default_certificate</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">minimum_protocol_version</span> <span class="p">=</span> <span class="s2">"TLSv1.2_2019"</span> <span class="nx">ssl_support_method</span> <span class="p">=</span> <span class="s2">"sni-only"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"cloudflare_record"</span> <span class="s2">"frontend_service"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">subdomain_name</span><span class="k">}</span><span class="s2">.</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">domain_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudfront_distribution</span><span class="p">.</span><span class="nx">frontend</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">proxied</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">cloudflare_zones</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">zones</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="s2">"id"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>After successfully creating those resources, your frontend will be now available over the internet on domain app-test.your-domain.com. Ta-da! We are now happy, having everything set up on HTTPS. Hurray! </p> <p>Also worth noticing it that at some point AWS marked cloudflare as non-trusted authority (there are references to Mozilla’s authorities list, more can be found <a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport" rel="noopener noreferrer">here</a>), so resources that we found online to solve our issue with exposing AWS S3 bucket over SSL weren’t helpful. <br> Those solutions were suggesting to use Cloudflare SSL certificates and import them into AWS certificate manager and use it within AWS Cloudfront distribution. </p> <h2> Gitlab runners </h2> <p>We used Gitlab CI/CD to power up our Terraform scripts to automatically handle deploying on different environments like test, staging and production. To set up the Gitlab runners to run successful workflows, we simply ensure that AWS cli, SAM cli, Terraform and Make are available/installed during the execution. We are aware this step is highly improvable - we could have a prebuilt Docker image containing all of these or use a community maintained one, but we wanted to first focus on product use cases and later focus on improvements.</p> <p>Here is an example of how to set up a Gitlab project with gitlab-ci.yaml. The most important part of this example is in <code>before_script</code> section of <code>gitlab-ci.yaml</code> file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">workflow</span><span class="pi">:</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">AWS_DEFAULT_REGION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eu-west-1"</span> <span class="na">WORKSPACE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dev"</span> <span class="na">TF_ENVIRONMENT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">terraform"</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">terraform-apply</span> <span class="na">terraform-apply</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">google/cloud-sdk:slim</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">terraform-apply</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-get install -y unzip make jq</span> <span class="pi">-</span> <span class="s">curl https://releases.hashicorp.com/terraform/0.12.29/terraform_0.12.29_linux_amd64.zip --output /tmp/terraform.zip</span> <span class="pi">-</span> <span class="s">unzip /tmp/terraform.zip -d /tmp</span> <span class="pi">-</span> <span class="s">chmod +x /tmp/terraform</span> <span class="pi">-</span> <span class="s">mv /tmp/terraform /usr/local/bin/</span> <span class="pi">-</span> <span class="s">curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.0.30.zip" -o "awscliv2.zip"</span> <span class="pi">-</span> <span class="s">unzip -q awscliv2.zip</span> <span class="pi">-</span> <span class="s">./aws/install</span> <span class="pi">-</span> <span class="s">aws sts get-caller-identity</span> <span class="pi">-</span> <span class="s">curl --location "https://github.com/aws/aws-sam-cli/releases/download/v1.18.1/aws-sam-cli-linux-x86_64.zip" -o "awssamcli.zip"</span> <span class="pi">-</span> <span class="s">unzip -q awssamcli.zip</span> <span class="pi">-</span> <span class="s">./install</span> <span class="pi">-</span> <span class="s">sam --version</span> <span class="pi">-</span> <span class="s">curl --location https://github.com/terraform-linters/tflint/releases/download/v0.21.0/tflint_linux_amd64.zip -o /tmp/tflint.zip</span> <span class="pi">-</span> <span class="s">unzip /tmp/tflint.zip -d /tmp</span> <span class="pi">-</span> <span class="s">chmod +x /tmp/tflint</span> <span class="pi">-</span> <span class="s">mv /tmp/tflint /usr/local/bin/</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo yes | make tf-apply</span> </code></pre> </div> <h2> Final thoughts </h2> <p>Overall we are pretty satisfied with the usability of AWS framework for serverless environments.<br> The major drawback with this solution that we want to make sure we highlight is the usage of null_resource to integrate with AWS SAM. Terraform null_resources is something everyone should try to stay away from, so we sincerely hope to see future integration of SAM in the AWS provider.<br> And that is it. Thank you for reading, we hope this has been useful. Feel free to reach out to us if you have questions or suggestions.</p> <p>Once again, you can find all the code supporting this post <a href="https://github.com/mklabs-io/aws-serverless-go-blog-post" rel="noopener noreferrer">here</a>.</p> aws go terraform cloudflare João Ferrão Fri, 11 Jun 2021 21:27:11 +0000 https://dev.to/mklabs/slightly-quick-pyspark-tests-46j3 https://dev.to/mklabs/slightly-quick-pyspark-tests-46j3 <p>First of all, let me start by stating this isn't a post about the usage of fancy new technology but rather about sharing how to slightly improve the timing of automated pipelines that require testing PySpark.</p> <p>Recently I needed to implement an automated workflow, used in multiple git repositories which required <code>pyspark</code> tests to run at every commit made on an open pull/merge request as well as after merge (because, you know... we love tests).</p> <p>As usual, the team was on a rush to put together a lot of different elements simultaneously but, in the spirit of Agile development, we wanted to make sure that (1) everybody understood how to run the tests and (2) that experience was (could be) the same between running them on a machine or in our CICD pipeline.</p> <p>If anyone has experience with (Py)Spark, there's a lot of common mishaps that you'll know how to handle, but if you have newcomers to the technology, it's sometimes hard to identify some of the aforementioned issues, such has: wrong java version installed/selected, wrong python version, input test file doesn't exist, etc. If there's a small change to introduce to the business logic, it should be easy to know if (and where) the intended use of the logic was broken.</p> <p>Originally, we ended up this very practical <code>Dockerfile</code> and <code>docker-compose.yaml</code>, which installed whatever <code>requirements.txt</code> we placed in the root of the repo and ran all the tests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> openjdk:8</span> <span class="k">ARG</span><span class="s"> PYTHON_VERSION=3.7</span> <span class="k">ENV</span><span class="s"> PATH="/root/miniconda3/bin:${PATH}"</span> <span class="c"># provision python with miniconda</span> <span class="k">RUN </span>wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">mkdir</span> /root/.conda <span class="se">\ </span> <span class="o">&amp;&amp;</span> bash Miniconda3-latest-Linux-x86_64.sh <span class="nt">-b</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> <span class="nb">rm</span> <span class="nt">-f</span> Miniconda3-latest-Linux-x86_64.sh &amp;&amp; conda install python=$PYTHON_VERSION -y \ &amp;&amp; conda init bash <span class="k">RUN </span><span class="nb">.</span> /root/.bashrc </code></pre> </div> <p>We placed it in <code>tests/Dockerfile</code> and then the following <code>docker-compose.yaml</code> in the root of the repo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.0"</span> <span class="na">services</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">./tests/Dockerfile</span> <span class="na">args</span><span class="pi">:</span> <span class="na">PYTHON_VERSION</span><span class="pi">:</span> <span class="m">3.7</span> <span class="na">working_dir</span><span class="pi">:</span> <span class="s">/app</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.:/app/</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/bash</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">pip install pytest</span> <span class="s">pip install -r ./requirements.txt # including pyspark==2.4.2</span> <span class="s">pytest ./tests</span> </code></pre> </div> <p>Then, you can just run <code>docker-compose up test</code> either on the designated CICD pipeline step and see the results. At least, there's no excuse for anyone to say they can't run the tests. </p> <h2> But waiting for this on every commit...? </h2> <p>If you try to run all of this, you'll notice that just provisioning Java, Python and then PySpark itself takes something between 2-4 minutes, depending on your CICD engine muscle and network bandwidth. Doesn't seem very significant, but if you run such logic every commit and that is required to pass before a Pull Request can be merged, might become relevant over time.</p> <p>For this reason, we <a href="!https://hub.docker.com/repository/docker/mklabsio/pyspark/general">created a public image</a> on Docker Hub, which you can use in your project and <strong>which is by no means rocket science</strong> but will hopefully be as convenient for your as it was for us.</p> <blockquote> <p>Yeah, but there's <code>jupyter pyspark notebook</code> images out there with the similar pre-installed stack.</p> </blockquote> <p>Right, right... But we wanted (1) something stripped down of unneeded packages (2) the ability to choose specific combinations of Python and PySpark versions per docker image and a (3) smaller download footprint - the images have almost half the size when decompressed (1.7 Gb vs 3.3 Gb).</p> <h2> Slightly quicker </h2> <p>The quick improvement would then be to simply reference directly the <code>mklabsio/pyspark:py37-spark242</code> image in your <code>docker-compose.yaml</code>, get rid of the <code>Dockerfile</code> and leave everything as before.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.0"</span> <span class="na">services</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="err">*</span><span class="nv">*image</span><span class="pi">:</span> <span class="s">mklabsio/pyspark:py37-spark242**</span> <span class="na">working_dir</span><span class="pi">:</span> <span class="s">/app</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.:/app/</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/bash</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">pip install pytest</span> <span class="s">pip install -r ./requirements.txt # including pyspark==2.4.2</span> <span class="s">pytest ./tests</span> </code></pre> </div> <p>We also took the opportunity to create a simple GitHub Actions workflow to build all the required combinations of Python, Java and PySpark.</p> <p>Hope this could help you in any way and if you see a need for improvement, let us know in the comments below or feel free to open an issue in the <a href="!https://github.com/mklabs-io/pyspark-docker">dedicated GitHub repository</a>:</p> python pyspark cicd testing diogoaurelio Sun, 02 May 2021 17:07:29 +0000 https://dev.to/mklabs/terraforming-in-2021-new-features-testing-and-compliance-17ho https://dev.to/mklabs/terraforming-in-2021-new-features-testing-and-compliance-17ho <p> Both <a href="https://www.linkedin.com/in/jrcferrao/" rel="noopener noreferrer">João</a> and <a href="https://www.linkedin.com/in/diogoaurelio/" rel="noopener noreferrer">I</a> have been using regularly terraform for some time now, and are big fans of it. Big enough to even have worked for quite a while on a <a href="https://www.mkops.io/" rel="noopener noreferrer"> side project of our own to simplify managing terraform environments</a> (which unfortunately did not succeed), at least. And yes, now that we are preparing the next one with <a href="https://www.mkops.io/" rel="noopener noreferrer">mklabs</a>, which naturally also heavily relies on terraform scripts, it made only sense to start by sharing some of our favorite tools that gravitate in the terraform ecosystem. </p> <p>We kick off with the latest updates in terraform itself, from 0.12 until the latest 0.15, and then go straight to surrounding tooling, where we mainly focus on testing and compliance checking for infrastructure. </p> <p>You can find all the code supporting this this post <a href="https://github.com/mklabs-io/tf-ecosystem-blog-post" rel="noreferrer noopener">here</a>.</p> <h3>Overview of latest Terraform versions</h3> <p>Version 0.15 <a href="https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-15-general-availability" rel="noopener noreferrer">has just recently been released</a>. Yet, a lot of companies out there are still running environments up to 0.11.X, and for a good reason. Though version 0.12 was launched already a while ago (2019), it brought great disruption. If this is your case, chances are that you gave up on keep up to date with its progress. Thus, we thought it would make sense to first review some of terraform features you might be missing out, before we try to convince you also considering further improvements.</p> <h4>0.12</h4> <ul> <li> <strong>First-class expression syntax</strong>: probably the most noticeable change, no more string interpolation sintax (<em>confettis</em> blowing in the background)!</li> <li> <strong>Generalized type system</strong>: (yay!) able to specify types of variables;</li> <li> <strong>Iteration constructs</strong>: introduction a the <code>for</code> operator allowing closer proximity to programming languages and thus more expressiveness to the DSL;</li> </ul> <p>More details, see the <a href="https://www.hashicorp.com/blog/announcing-terraform-0-12" rel="noopener noreferrer">general availability announcement page</a>.</p> <h4>0.13</h4> <ul> <li> <strong>Module improvements</strong> - brings ability to use several meta tags that until so far were only available for <code>resources</code> <a href="https://www.hashicorp.com/blog/terraform-0-13-brings-powerful-meta-arguments-to-modular-workflows" rel="noopener noreferrer">in modules</a>. In this case, we can now use <code>depends_on</code> for coupling dependencies with modules (finally!), along with ability instantiate multiple module instances with <code>count</code> or <code>for_each</code>; <a href="https://www.hashicorp.com/blog/terraform-0-13-brings-powerful-meta-arguments-to-modular-workflows" rel="noopener noreferrer">more details here</a>;</li> </ul> <p><a href="https://datacenternotes.files.wordpress.com/2021/03/terraform_module_dependency.jpg" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Fterraform_module_dependency.jpg" alt=""></a>Example specifying a module dependency (a personal favorite), <a href="https://www.hashicorp.com/blog/terraform-0-13-brings-powerful-meta-arguments-to-modular-workflows" rel="noopener noreferrer">source hashicorp blog</a></p> <ul> <li> <strong>Custom variable validation</strong> - when specifying variables one can from this version on wards specify custom rules for the input that is accepted and respective error message to allow fast failure; more details here; </li> </ul> <p><a href="https://datacenternotes.files.wordpress.com/2021/03/terraform_variable_validation.jpg" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Fterraform_variable_validation.jpg" alt=""></a>Example variable validation, <a href="https://www.hashicorp.com/blog/custom-variable-validation-in-terraform-0-13" rel="noopener noreferrer">source hashicorp blog</a></p> <ul> <li> <strong>Support 3rd party providers</strong> - terraform now allows one to reference your own <a href="https://registry.terraform.io/browse/providers" rel="noopener noreferrer">provider</a> in the terraform block <code>required_providers</code>. The <code>required_providers</code> keyword in the terraform block already existed in terraform 12, though with was restricted to hashicorp's own providers; now you can reference your own DNS source to host your own registry, and upon <code>terraform init</code> it will be installed same as it used to all other providers; <a href="https://www.hashicorp.com/blog/automatic-installation-of-third-party-providers-with-terraform-0-13" rel="noopener noreferrer">more details here</a>; note that if you are already using the <code>required_providers</code> keyword in terraform block, to migrate from version 12 to 13 you should adapt it, as shown in the following example:</li> </ul> <p><a href="https://datacenternotes.files.wordpress.com/2021/03/terraform13_providers.jpg" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Fterraform13_providers.jpg" alt=""></a>Example required_providers, source <a href="https://www.terraform.io/upgrade-guides/0-13.html" rel="noopener noreferrer">terraform upgrade guides</a></p> <p>More details, see the <a href="https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-13" rel="noopener noreferrer">general availability announcement page</a>.</p> <h4>0.14</h4> <ul> <li> <strong>Sensitive variables &amp; outputs</strong> - allowing one to flag a variable as "sensitive" will redact its output on the CLI;</li> <li> <strong>Improved diff</strong> - this is probably one of the most common complaints I hear, namely the difficulty in reading a terraform <code>plan</code> (and along with it the same for <code>apply</code> and <code>show</code>) output; with this new change, it hides unchanged fields (irrelevant for the diff) while displaying a count of the hidden elements for better clarity; <a href="https://www.hashicorp.com/blog/terraform-0-14-adds-a-new-concise-diff-format-to-terraform-plans" rel="noopener noreferrer">more details here</a>;</li> </ul> <p><a href="https://datacenternotes.files.wordpress.com/2021/03/terraform14_improved_diff.jpg" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Fterraform14_improved_diff.jpg" alt=""></a>Example excerpt diff, <a href="https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-14-general-availability" rel="noopener noreferrer">source hashicorp blog</a></p> <ul> <li> <strong>dependency lockfile</strong> - as soon as you run <code>terraform init</code> with version 14 you will notice that a <code>.terraform.lock.hcl</code> file will be created in that directory and outside the <code>.terraform</code> directory. This file is intended to be added to version control (git committed), to guarantee that the exact same provider versions are run everywhere;</li> </ul> <p>More details, see the <a href="https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-14-general-availability" rel="noopener noreferrer">general availability announcement page</a>.</p> <h4>0.15</h4> <p>Finally, here are some of the main highlights the latest version just very recently announced:</p> <ul> <li> <strong>Remote state data source compatibility</strong>: in order to make it easier to upgrade to newer versions, you can use reference remote state data objects that are using older versions; note that this feature has been back ported into previous releases as well, namely 0.14.0, 0.13.6, and 0.12.30;</li> <li> <strong>Improvements to conceal sensitive values (passwords, for example)</strong>: following version 0.14 work now provider developers can specify the properties that are by default sensitive and should be anyway hidden in outputs; moreover, terraform also added a function (sensitive) for users to be able to explicitly hide values;</li> <li> <strong>Improvements in logging behavior</strong>: ability to control provider and terraform log level separately <code>TF_LOG_CORE=level</code> and <code>TF_LOG_PROVIDER=level</code>.</li> </ul> <p>More details, see the <a href="https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-15-general-availability" rel="noopener noreferrer">general availability announcement page</a>.</p> <h3>Handling multiple versions</h3> <p>Assuming that these new features convinced you to upgrade your existing terraform environments, being realistic here, this will not happen from one day to another. You will have a transition period (if not permanently) where you have environments with different terraform versions. That is OK, you can still keep your sanity while hopping between all of them thanks to tools like the following:</p> <ul> <li> <a href="https://github.com/tfutils/tfenv" rel="noopener noreferrer">TFEnv</a> - terraform environment switcher inspired (from the ruby world) by <code>rbenv</code> written with shell scripts;</li> <li> <a href="https://github.com/warrensbox/terraform-switcher/" rel="noopener noreferrer">Terraform Switcher </a>- yet another project essentially doing the same written in go;</li> </ul> <p>Both of these projects overlap almost entirely, so we will simply exemplify with one of them, namely tfenv:</p> <a href="https://datacenternotes.files.wordpress.com/2021/03/tfenv_demo.gif" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Ftfenv_demo.gif%3Fw%3D1024" alt=""></a> <p>Here we are showing how you can switch between installed versions <code>tfenv use &lt;local-version&gt;</code>, how you can check which versions are already locally installed with <code>tfenv list</code>, all versions currently available <code>tfenv list-remote</code> (minor detail: the current version of the library I'm using to record my terminal, <a href="https://terminalizer.com/docs" rel="noopener noreferrer">terminalizer</a>, does not capture me scrolling up and selecting version terraform <code>0.14.5</code>)<br>Last but not least, we also show a cool feature from tfenv, namely the ability to automatically recognize the minimum required version in a given environment. Same goes for the latest version, in case you are wondering. And yes, this is also available in terraform switcher project.</p> <h3>Testing</h3> <p>Testing is probably the most confusing topic in the Infrastructure-as-Code (IaC) land, and terraform not being an exception, as a lot of different tools and procedures get thrown in this same bag, when, well, they probably should not. Usually when talking about testing, people usually mean three different things:</p> <ul> <li> <strong>static checks</strong> - validation of mainly the structure code without actually running the code; a fast away for performing sanity checks, either local and/or in your CI/CD pipelines; </li> <li> <strong>integration tests</strong> - provided you are properly using inversion of control with variables, they give you the power to test your modules or environments for different generic cases;</li> <li> <strong>compliance checks</strong> - tests done in the aftermath, after all resources have already been deployed; these can serve distinct purposes that we will explore better later, but essentially the goal is to confirm that what is deployed is what was initially intended and expressed in terraform;</li> </ul> <p>Yes, you got that right: if you were looking forward to some classic unit testing, you can forget that for now. Let us dive straight into more details.</p> <h4>Static checks</h4> <p>Again, these are not tests strictly speaking, but rather just simple validation checks one can run to catch common errors without actually deploying anything. There is an array of tools out there, but let us start with the one provided out of the box in terraform binary.</p> <p>It is not uncommon for the tool creators to provide their own validators. Kubernetes provides validate <code>kubectl apply -f &lt;file&gt; --dry-run --validate=true</code>, helm provides lint <code>helm lint &lt;path&gt;</code>; terraform provides <code>validate</code>. </p> <p>In the following example running <code>terraform validate</code> would catch two of the three issues:</p> <div class="ltag_gist-liquid-tag"> </div> <p>Validate will require to have previously run <code>terraform init</code>, so that it can leverage providers. In our example it will detect the typo in the aws bucket resource reference, along with the invalid CIDR provided to create the VPC. What it will not detect, however, is the non existent EC2 instance type.</p> <p><a href="https://datacenternotes.files.wordpress.com/2021/03/terraform_validate_demo.gif" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Fterraform_validate_demo.gif%3Fw%3D1024" alt=""></a></p> <p><a rel="noreferrer noopener" href="https://github.com/terraform-linters/tflint">TFLint</a> comes to the rescue. Being yet another open source tool written in go, it comes as a binary much like terraform and does not even require terraform to be installed. </p> <p><a href="https://datacenternotes.files.wordpress.com/2021/03/tflint.gif" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Ftflint.gif%3Fw%3D1024" alt=""></a></p> <p>Running with the <code>deep</code> option requires one to provide credentials, providing a more thorough inspection. In our case, it detected the incorrect instance type, as well as the wrong AMI.</p> <p>You can also <a rel="noreferrer noopener" href="https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/config.md">customize tflint</a> to inject variables, define modules to ignore, etc. You can check the <a href="https://github.com/terraform-linters/tflint/tree/master/docs/user-guide" rel="noreferrer noopener">user guide</a> for more details. </p> <p>Now besides linting for configuration issues in your code, another recommendation is to <em>check for security issues</em>, such as too permissive security group rules, unencrypted resources, etc. </p> <p>Here again more than one tool exists to assist. We will highlight two of the most popular ones here: <a rel="noreferrer noopener" href="https://github.com/tfsec/tfsec">tfsec</a> and <a rel="noreferrer noopener" href="https://github.com/bridgecrewio/checkov">checkov</a>. Both provide a predefined set of checks that they use to inspect your code, allowing to explicitly open exceptions (if you really want to) by annotating your code with comments, and adjust the configuration to ignore some modules, for example. </p> <p>TFSec is written in Go, and is probably the fastest to get started, and currently <a rel="noreferrer noopener" href="https://tfsec.dev/docs/aws/home/">provides up to 10 checks</a> for the current main cloud providers (AWS, GCP, and Azure). The potential downside is that works exclusively for Terraform, so you will need to use additional tools to inspect kubernetes/helm/cloudformation etc. </p> <p>Checkov, on the other hand, despite being a more recent tool, has seen stellar development speed (being developed by a <a rel="noreferrer noopener" href="https://bridgecrew.io/round-a-announcement/">startup with good founding rounds</a>, and <a rel="noreferrer noopener" href="https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-announces-intent-to-acquire-bridgecrew">PaloAlto Networks acquisition</a> can't hurt). Not only do they have a <a href="https://docs.bridgecrew.io/docs/aws-policy-index" rel="noopener noreferrer">really comprehensive number of checks</a> across all the main cloud providers, but they also span across multiple technologies, such as Kubernetes, Cloudformation, serverless and ARM templates. And the list keeps growing. Checkov provides you the option to run either a pure static check by just pointing to the terraform directory or terraform file, or by actually running it against a terraform plan file. The nice thing about running it directly is naturally the simplicity of not requiring to have the target environment accessible to test the code.</p> <p>These tools are grabbing a lot of attention lately, as the double checking for security issues was usually locked in the hands of devops/devsecops teams, which in practice constituted a development bottleneck. By injecting these checks early in CI/CD pipelines, a great deal of development speed is freed without compromising security. </p> <p><strong>Integration tests</strong></p> <p><a rel="noreferrer noopener" href="https://github.com/gruntwork-io/terratest">Terratest</a> is probably the closest one can get now a days to testing the specific peace of terraform code. It is a Go library, and requires one to write tests in Go. This is obviously a potential limitation as not all teams have knowledge in Go. On the upside, I would argue that the learning curve of learning Go to get the basics - read enough for writing terraform tests - is not steep if you know already at least one programming language. </p> <p>Having worked already in several Go projects in the context of mklabs, we're naturally favorably biased towards Terratest. So, even if you have never tried Go, we would still recommend having a look on our sample repository, where we provide go mod setup to make it easy getting started. And if this did not convince you yet, here's what might: you can also use Terratest to test Dockerfiles, Kubernetes and Packer setups. </p> <p>This might seem intimidating, but we would argue that the benefits are worth it. Let us look at an example skeleton of a test setup for AWS:</p> <div class="ltag_gist-liquid-tag"> </div> <p>Essentially the skeleton is always the same: </p> <ol> <li>start by defining the variables you want to inject as input for your terratest run; you might want to rather inject random variables even, to test in greater depth;</li> <li>make sure you tell the setup to destroy all created resources after the terraform apply has been completed using the <code>defer</code> statement; this is equivalent to the <code>trap</code> keywork in shell, and it will execute even if something fails in the meanwhile; the only prerequisite is that you declare it before you call <code>terraform.InitAndApply()</code> method;</li> <li>Let the test be deployed by passing the terraform config setup you have previously declared in <code>terraformOptions</code> to <code>terraform.InitAndApply</code> method;</li> <li>Finally, declare the things you want to assert; that is, declare what you expect should have been deployed - the <code>expected</code> - and see if they match what was actually deployed - the <code>result</code>. The simplest way is to check in terraform apply output, which is accessible via `terraform.Output()` method. Alternatively, terragrunt also provides you some methods out of the box for frequently checked things on a per provide basis. </li> </ol> <p>Sounds like fun, right? Here is an example of some of the tests we could write to our basic terraform example:</p> <div class="ltag_gist-liquid-tag"> </div> <p>Here is the output of running these tests for our demo setup:</p> <p><a href="https://datacenternotes.files.wordpress.com/2021/03/terratest_demo-1.gif" rel="noopener noreferrer"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdatacenternotes.files.wordpress.com%2F2021%2F03%2Fterratest_demo-1.gif%3Fw%3D1024" alt=""></a></p> <p><strong>Final thoughts regarding terratest</strong>: we find terratest a great tool to implement changes in your infrastructure with confidence, no matter if they are just simple day to day changes, or bigger and complexer upgrades or migrations. </p> <p>We just scratched the surface here on the tests one can develop with terratest - for example combining SSH access into instances and confirming access to resources, etc. However, there are no free lunches, and this can come at a price: tests can take a long time (depending obviously on what you are testing), and require a non trivial time investment - learning how to use, writing them, and setting up the environment, as you probably will want to run them in an isolated environment. For example, in AWS case, this would ideally be a dedicated account. We recommend reading <a href="https://terratest.gruntwork.io/docs/#testing-best-practices" rel="noopener noreferrer">best practices on how to perform testing</a> from terragrunt, the company behind terratest.</p> <p><strong>Compliance checks</strong></p> <p>The last mile is asserting that what you wanted to be deployed, was indeed deployed exactly <em>as you wanted</em>. Abusing terraform <code>null_resource</code> is a classic one leading to unintended surprises. One way of achieving this would be to run these tests right after the <code>terraform apply</code> stage of your CI/CD pipeline.</p> <p>But the next question you might have is how do I know that these configurations stay that way, that <em>no one changed things inadvertently</em> ? We've seen this situation arise in different forms: changes done by users manually via GUI or CLI; via different terraform environments mutating overlapping resources properties; or as a by-product of using different IaC tools, for example configuring some bits with Cloudformation, some K8s or Helm, etc. </p> <p>Arguably more interesting would be scheduling to run these checks continuously and repeatedly, to make sure things stay as you expected. Let's see some options out there to achieve this.</p> <p><strong>The rogue approach</strong>: in practice you can do this type of compliance checks with any programming language you favor. As we shown before, one can export terraform' state into <code>json</code> format, and then use, for example, python with <code>pytest</code> and <code>boto3</code> libraries to compare what is deployed with the desired output. You could even go further, and use <code>boto3</code> to scan your accounts for different aspects that you considered go against best practices, such as lack of encryption (in-flight and at rest).</p> <p>While this might be tempting at first sight, you might end up writing way more testing code, than the actual terraform code. Not only it seems kind of silly, but it can get hairy. </p> <p>The second reason not to follow this approach, is that there are already several solutions out there fairly tested and intuitive to use that can help you with this task, which we will cover now:</p> <ul> <li>Driftctl - open source go library from cloudskiff for terraform;</li> <li>Sentinel - Hashicorp's own solution;</li> <li>terraform-compliance - open source BDD based solution dedicated for terraform;</li> <li>Conftest - test suite for multiple frameworks besides terraform, such as kubernetes and dockerfiles; </li> <li>Inspec - Chef compliance testing tool, written in ruby;</li> <li>Built-in cloud provider - each cloud provider has it's own inspections mechanisms in place;</li> </ul> <p>You may be wondering why the first place in our list is a library still in beta. That is a good point, and we would argue that its progress seems to be promising, and that we like to support startups. Moreover we think its <a rel="noreferrer noopener" href="https://docs.driftctl.com/0.7.1/usage">simplicity of usage</a> deserves a highlight as it delivers one thing and one thing only: check if what is in your terraform state file is what is actually deployed. Simply point to your terraform statefile when you run <code>driftctl scan</code> command and you will get a detailed report if you have <em>drifted</em>. Due to the low effort required to implement this library and value provided, we think it deserves taking it for a spin.</p> <p>Next on our list is Hashicorp's (the company behind terraform) own enterprise solution for this, <a rel="noreferrer noopener" href="https://www.hashicorp.com/sentinel">Sentinel</a>. This is could make sense if you are already using other Hashicorp's enterprise functionality, benefiting from Terraform Enterprise.</p> <p>A direct open source comparable alternative would be using <a rel="noreferrer noopener" href="https://github.com/terraform-compliance/cli">terraform-compliance</a>. It follows <a rel="noreferrer noopener" href="https://en.wikipedia.org/wiki/Behavior-driven_development">BDD</a> directives so that you can specify in an easy human readable way your expectations, using:</p> <ul> <li> <em>given</em>: a given resource type;</li> <li> <em>when</em>: an optional condition you might want to add;</li> <li> <em>then</em>: what you expectation is; </li> </ul> <p>Here is an example of a test file for AWS S3 buckets:</p> <div class="ltag_gist-liquid-tag"> </div> <p>Although we do get the appeal of easily understandable tests that do not require knowing how code, we find terraform-compliance lacks flexibility to test various aspects, mainly due to the BDD nature. Moreover, there are <a rel="noreferrer noopener" href="https://adinermie.com/the-good-the-bad-and-the-ugly-of-using-terraform-compliance/">more people disenchanted by it with some valid points</a>. </p> <p>If you like terraform-compliance, <a rel="noreferrer noopener" href="https://github.com/open-policy-agent/conftest">Conftest</a> might also be worth having a look. It has its own DSL to write policies, and allows you to test multiple frameworks. We found <a rel="noreferrer noopener" href="https://www.blokje5.dev/posts/validating-terraform-plans/">this blog post</a> from Lennard Eijsackers very informative, and would thus rather recommend you to check it out. </p> <p>Before we dive into own cloud provider compliance checking services, we want to highlight yet another open source tool, namely <a rel="noreferrer noopener" href="https://github.com/inspec/inspec">InSpec</a>. It allows you to write tests in ruby, and was <a rel="noreferrer noopener" href="https://docs.chef.io/inspec/inspec_and_friends/#rspec">built on top of RSpec</a>. If you know already <a rel="noreferrer noopener" href="https://github.com/k1LoW/awspec">awsspec</a>, then this should feel very similar, with the advantage that InSpec also supports GCP and Azure. </p> <p>Even though none of us is actively a ruby developer, we find InSpec very easy to get started with and, most importantly, very powerful. It allows you to combine IaC checks to target resources deployed and mapped in terraform state files, with other general policies for cloud account configuration. Moreover, it also allows you to combine additional security checks, such as on OS level configurations and services running. Let us illustrate how you could write these checks. The following check illustrates how to define global policies that an account should obey:</p> <div class="ltag_gist-liquid-tag"> </div> <p>The next one illustrates for generic networking:</p> <div class="ltag_gist-liquid-tag"> </div> <p>The previous examples only illustrate generic control checks that validate overall best practices in your acocunt. However, you might want to also perform assertions regarding what is in your terraform state versus what is deployed - what the <a rel="noreferrer noopener" href="https://cloudskiff.com/">cloudskiff</a> engineers rightly name <em>drift</em>. Christoph Hartmann - one of InSpecs creators - has a nice <a rel="noreferrer noopener" href="https://lollyrock.com/posts/inspec-terraform/">blog post</a> explaining how to use InSpec and integrate with terraform. The approach is essentially as described previously in the rogue approach - import terraform state json file and use it as the expected assertion. </p> <h3>Built-in cloud provider policy tools</h3> <p>Each cloud provider has a native tool to address company-wide governance policies. Some examples of services are: </p> <ul> <li>AWS: <strong><a href="https://aws.amazon.com/config/" rel="noopener noreferrer">AWS Config</a></strong> and to manage cloud configuration deviations within one account, <a rel="noreferrer noopener" href="https://aws.amazon.com/systems-manager/">Systems Manager</a> to enforce instance OS security, and more recently <a rel="noreferrer noopener" href="https://aws.amazon.com/controltower/">Control Tower</a> for enforcing rules across multiple accounts;</li> <li>Azure: <strong><a href="https://azure.microsoft.com/en-us/services/azure-policy/" rel="noopener noreferrer">Azure Policy</a></strong> for checking cloud configuration deviations and <strong><a href="https://azure.microsoft.com/en-us/services/security-center/" rel="noopener noreferrer">Azure Security Center</a></strong> </li> <li>GCP:<strong> <a href="https://cloud.google.com/blog/products/identity-security/protecting-your-gcp-infrastructure-at-scale-with-forseti-config-validator" rel="noopener noreferrer">Forseti Config Validator</a></strong> for GCP</li> </ul> <p>These are just some of the services that we know that can be used for such enforcement. Most of these services go beyond just checking cloud config, and also provide security inspections at instance level, for example. The important point to keep in mind is that these security checks are post deployment compliance assertion, not for preventing configuration issues.</p> <h2>Final thoughts</h2> <p>We find that there is not a single silver bullet that solves all problems, and the best strategy is actually a combination of multiple tactics employed at different stages. The two main phases that require different approaches are <em>pre</em> and <em>post</em> deployment. </p> <p>For pre-deployment, a combination of static checks and actual tests can be used. Static checks are a great starter, as they are easy to setup, and allow you to enforce generally good practices across the whole organization. In other words, static checks provide you an powerful easy win. With terratest, on the other hand, you mainly gain on confidence that the IaC code will actually work, and that you will catch <em>faux pas</em>. However, terratest does not come for free, and does require a learning curve with go, along with time investment to develop the actual tests.</p> <p>After your code gets deployed comes the next challenge: making sure things stay well architected. Regular scheduled checks that assess if your infrastructure is running as intended should also be part of your devOps strategy, and for this two main routes exist: open source or using dedicated cloud services. </p> <p>And that is it. Thank you for reading, we hope this has been useful. Feel free to reach out to us if you have questions or suggestions.</p> <p>Once again, you can find all the code supporting this this post <a rel="noreferrer noopener" href="https://github.com/mklabs-io/tf-ecosystem-blog-post">here</a>. </p> <h3>Sources</h3> <p>As usual, here is the summary of sources used for this post:</p> <ul> <li><a rel="noopener noreferrer" href="https://www.hashicorp.com/blog/announcing-terraform-0-12">Terraform version 12 general availability notes</a></li> <li><a rel="noopener noreferrer" href="https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-13">Terraform version 13 general availability notes</a></li> <li><a rel="noopener noreferrer" href="https://www.hashicorp.com/blog/announcing-hashicorp-terraform-0-14-general-availability">Terraform version 14 general availability notes</a></li> <li><a href="https://github.com/warrensbox/terraform-switcher/" rel="noopener noreferrer">Terraform Switcher project</a></li> <li><a href="https://terratest.gruntwork.io/docs/#testing-best-practices" rel="noopener noreferrer">Best practices testing with terratest</a></li> <li><a rel="noreferrer noopener" href="https://github.com/tfsec/tfsec">TFSec</a></li> <li><a rel="noreferrer noopener" href="https://github.com/bridgecrewio/checkov">Bridgecrew checkov</a></li> <li><a rel="noreferrer noopener" href="https://github.com/terraform-compliance/cli">Terraform compliance</a></li> <li><a rel="noreferrer noopener" href="https://github.com/cloudskiff/driftctl">Driftctl tool</a></li> <li><a rel="noreferrer noopener" href="https://docs.chef.io/inspec/">Chef InSpec</a></li> <li> <a href="https://lollyrock.com/posts/inspec-terraform/" rel="noreferrer noopener">Christoph Hartmann blog post how to use Inspec with terraform</a> </li> <li><a href="https://github.com/k1LoW/awspec" rel="noopener noreferrer">AWS Spec</a></li> <li><a rel="noreferrer noopener" href="https://github.com/open-policy-agent/conftest">Conftest</a></li> <li><a rel="noreferrer noopener" href="https://www.blokje5.dev/posts/validating-terraform-plans/">Blog post from Lennard Eijsackers on Conftest</a></li> <li>The recordings of my terminal were done using <a href="https://terminalizer.com/" rel="noopener noreferrer">terminalizer</a> </li> </ul> terraform devops terratest inspec