DEV Community: Serverless Guru, LLC The latest articles on DEV Community by Serverless Guru, LLC (@serverlessgurux). https://dev.to/serverlessgurux https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F344868%2Fa18f22b4-b0d0-43bb-9ea8-99425ab2c6de.jpg DEV Community: Serverless Guru, LLC https://dev.to/serverlessgurux en Using all new Amazon API Gateway HTTP APIs with Serverless Framework Serverless Guru, LLC Tue, 03 Mar 2020 00:43:15 +0000 https://dev.to/serverlessgurux/using-all-new-amazon-api-gateway-http-apis-with-serverless-framework-34ol https://dev.to/serverlessgurux/using-all-new-amazon-api-gateway-http-apis-with-serverless-framework-34ol <p>It is easy to build and maintain large scale APIs with Amazon API Gateway. From REST to WebSockets APIs, HTTP Proxies to workloads with request transformation, authentication and validation.</p> <p>One common integration for building APIs is to proxy it to an AWS Lambda. Listening to their customers feedback, Amazon went one step further and on <a href="https://aws.amazon.com/blogs/aws/aws-launches-previews-at-reinvent-2019-wednesday-december-4th/">last year re:Invent they released a new feature</a> called <a href="https://aws.amazon.com/about-aws/whats-new/2019/12/amazon-api-gateway-offers-faster-cheaper-simpler-apis-using-http-apis-preview/">HTTP APIs for Amazon API Gateway</a>.</p> <p>HTTP APIs offer the core functionality of Amazon API Gateway and are optimised for building APIs that proxy to AWS Lambda functions or HTTP backends. With <a href="https://aws.amazon.com/api-gateway/pricing/#HTTP_APIs_.28Preview.29">cost savings up to 70% compared to REST APIs</a>, significant performance improvements (without the Amazon API Gateway service overhead), out of the box features like throttling, metrics, logging, OIDC, OAuth and built-in support for CORS.</p> <h1> What is the difference between HTTP APIs and REST APIs in Amazon API Gateway? </h1> <p>As mentioned above, HTTP APIs are focused and optimised for APIs proxying request to an AWS Lambda or HTTP backends. Any other offers and features from REST APIs aren't available. I will list some features heres, but they are not exhaustive and can change, since Amazon can ship more (or less) features anytime.</p> <p><strong>What features ARE NOT AVAILABLE while using HTTP APIs?</strong></p> <ul> <li> <strong>Custom Authorizers:</strong> AWS Lambda and IAM (You can use Amazon Cognito as a JWT issuer only)</li> <li> <strong>Integration:</strong> HTTP, AWS Services, Private Integration or Mocks (we can use HTTP as a proxy integration only)</li> <li> <strong>API Management:</strong> Usage Plans, API Keys, custom domains with TLS 1.0 or wildcard custom domains names.</li> <li> <strong>Development:</strong> Cache, Request transformation, Request/Response validation, Test Invocation</li> <li> <strong>Security:</strong> Client Certificates, AWS WAF, Resource policies</li> <li> <strong>API Type:</strong> Edge-optimized, Private (HTTP APIs are Regional only)</li> <li> <strong>Monitoring:</strong> Access logs to Amazon Kinesis Data Firehose, AWS X-Ray</li> </ul> <p>While the list above can be scary and maybe you been thinking "...damn, that is too much, I'll keep using REST APIs". I dare you to think again, usually, we do not use 90% of the features on this list, but we would be paying for it if we misconfigured our projects.</p> <p>With HTTP APIs, AWS helps us to <a href="https://blog.codinghorror.com/falling-into-the-pit-of-success/">falling into the pit of success</a>, with enhanced performance, cheaper with great features and an easier developer experience. </p> <p>This service is still in Beta, with fast improvements and moves towards General Availability. <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html">You can stay up to date following this AWS page</a>.</p> <h1> Building your first HTTP API with Serverless Framework </h1> <p>At <a href="https://serverlessguru.com/">Serverless Guru</a>, we love helping you to migrate, build or train your team on serverless best practices.</p> <p>Last week, <a href="https://serverless.com/partners/">our official partner Serverless</a>, released its <a href="https://serverless.com/blog/aws-http-api-support/">support for HTTP APIs with Serverless Framework</a>.</p> <p>We can now leverage the awesome features of Serverless Framework to build products using all new Amazon API Gateway HTTP APIs!</p> <p>Let's review the following <code>serverless.yml</code> file:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">service</span><span class="pi">:</span> <span class="s">example-http-api-service</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws</span> <span class="na">functions</span><span class="pi">:</span> <span class="na">getItems</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.getItems</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GET</span><span class="nv"> </span><span class="s">/items"</span> </code></pre></div> <p>Even with all the differences between HTTP APIs and REST APIs, Serverless Framework decided to propose a new event, <code>httpApi</code> to attach functions to HTTP APIs in your <code>serverless.yml</code> file, keeping the syntax familiar and easy to migrate.</p> <p>Exploring the HTTP verbs, we have more routing options, like:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">functions</span><span class="pi">:</span> <span class="s">...</span> <span class="s">postItem</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.postItem</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="s2">"</span><span class="s">POST</span><span class="nv"> </span><span class="s">/items"</span> <span class="na">getItem</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.getItem</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GET</span><span class="nv"> </span><span class="s">/items/{id}"</span> <span class="na">putItem</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.putItem</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="s2">"</span><span class="s">PUT</span><span class="nv"> </span><span class="s">/items/{id}"</span> <span class="na">deleteItem</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.deleteItem</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="s2">"</span><span class="s">DELETE</span><span class="nv"> </span><span class="s">/items/{id}"</span> <span class="nn">...</span> </code></pre></div> <p>If we need to customise our <code>httpApi</code> event, we can use the object syntax:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">getReceipt</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.getReceipt</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/receipt/{receiptId}</span> <span class="na">timeout</span><span class="pi">:</span> <span class="m">5</span> <span class="nn">...</span> </code></pre></div> <p>We can define a catch all route using:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="nn">...</span> <span class="na">catchAll</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.catchAll</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="nn">...</span> </code></pre></div> <h1> Protecting your routes with JWT Authorizers </h1> <p>By default, all endpoints are publicly accessible. To protect our routes, HTTP API supports JSON Web Tokens, commonly used by OAuth 2.0 and Native OpenID workflows, called <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html">JWT Authorizers</a>.</p> <p>We can restrict access to our endpoints by configuring a JWT Authorizer in our <code>provider</code> section:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">provider</span><span class="pi">:</span> <span class="s">...</span> <span class="s">httpApi</span><span class="pi">:</span> <span class="na">authorizers</span><span class="pi">:</span> <span class="na">myCustomJwtAuthorizer</span><span class="pi">:</span> <span class="na">identitySource</span><span class="pi">:</span> <span class="s">$request.header.Authorization</span> <span class="na">issuerUrl</span><span class="pi">:</span> <span class="s">https://...</span> <span class="na">audience</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">xxxx</span> <span class="pi">-</span> <span class="s">xxxx</span> </code></pre></div> <p>To authorise your request, <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html">Amazon API Gateway uses a general workflow of 4 steps</a> to validate your token by calling your JWT Authorizer. Make sure your issuer is following these requirements.</p> <p>In case you wanna use Amazon Cognito we could use the following syntax:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">provider</span><span class="pi">:</span> <span class="s">...</span> <span class="s">httpApi</span><span class="pi">:</span> <span class="na">authorizers</span><span class="pi">:</span> <span class="na">customCognitoAuthorizer</span><span class="pi">:</span> <span class="na">identitySource</span><span class="pi">:</span> <span class="s">$request.header.Authorization</span> <span class="na">issuerUrl</span><span class="pi">:</span> <span class="s">https://cognito-idp.${region}.amazonaws.com/${cognitoPoolId}</span> <span class="na">audience</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cognitoClientIDWeb</span> <span class="pi">-</span> <span class="s">cognitoClientIDMobile</span> </code></pre></div> <p>After declaring a JWT Authorizer, we can define which endpoints we want restrict access by configuring an <code>authorizer</code> key:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">functions</span><span class="pi">:</span> <span class="s">...</span> <span class="s">getProfile</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.getProfile</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/me</span> <span class="na">authorizer</span><span class="pi">:</span> <span class="s">customCognitoAuthorizer</span> </code></pre></div> <p>If we need to extend the authorisation to include scopes to our endpoint, we can change it to:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">functions</span><span class="pi">:</span> <span class="s">...</span> <span class="s">getProfile</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">handler.getProfile</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/me</span> <span class="na">authorizer</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">customCognitoAuthorizer</span> <span class="na">scopes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">user.id</span> <span class="pi">-</span> <span class="s">user.email</span> </code></pre></div> <h1> Fine grain CORS control </h1> <p>With built-in support for CORS in HTTP API, Serverless Framework made it simple for its users by defining a <code>cors: true</code> property by default:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">provider</span><span class="pi">:</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">cors</span><span class="pi">:</span> <span class="no">true</span> </code></pre></div> <p>This default behaviour implies and ensure the following headers:</p> <ul> <li><code>Access-Control-Allow-Origin: *</code></li> <li><code>Access-Control-Allow-Headers: Content-Type, X-Amz-Date, Authorization, X-Api-Key, X-Amz-Security-Token, X-Amz-User-Agent</code></li> <li> <code>Access-Control-Allow-Methods: OPTIONS</code> + all methods you defined in your route (<code>GET</code>, <code>POST</code> etc)</li> </ul> <p>In case you need a better control over it, you can manipulate the <code>provider.httpApi.cors</code> property and define:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">provider</span><span class="pi">:</span> <span class="s">...</span> <span class="s">httpApi</span><span class="pi">:</span> <span class="s">...</span> <span class="s">cors</span><span class="pi">:</span> <span class="na">allowedOrigins</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://my-allow-domain.com</span> <span class="pi">-</span> <span class="s">https://allow-this-one.com</span> <span class="na">allowedHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Authorization</span> <span class="pi">-</span> <span class="s">Content-Type</span> <span class="na">allowedMethods</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GET</span> <span class="pi">-</span> <span class="s">POST</span> <span class="na">allowCredentials</span><span class="pi">:</span> <span class="no">true</span> <span class="na">exposedResponseHeaders</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Special-Response-Header</span> <span class="na">maxAge</span><span class="pi">:</span> <span class="m">6000</span> <span class="c1"># in seconds</span> </code></pre></div> <h1> Turning on Access Logging </h1> <p>Similar to REST APIs, we can turn on access logs in HTTP API by using <code>provider.logs.httpApi</code> like:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">provider</span><span class="pi">:</span> <span class="s">...</span> <span class="s">logs</span><span class="pi">:</span> <span class="s">...</span> <span class="s">httpApi</span><span class="pi">:</span> <span class="no">true</span> </code></pre></div> <p>If you have a particular log format, you can use the <code>.format</code> property:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">provider</span><span class="pi">:</span> <span class="s">...</span> <span class="s">logs</span><span class="pi">:</span> <span class="s">...</span> <span class="s">httpApi</span><span class="pi">:</span> <span class="na">format</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{</span><span class="nv"> </span><span class="s">"requestId":"$context.requestId",</span><span class="nv"> </span><span class="s">"ip":</span><span class="nv"> </span><span class="s">"$context.identity.sourceIp",</span><span class="nv"> </span><span class="s">"requestTime":"$context.requestTime",</span><span class="nv"> </span><span class="s">"httpMethod":"$context.httpMethod","routeKey":"$context.routeKey",</span><span class="nv"> </span><span class="s">"status":"$context.status","protocol":"$context.protocol",</span><span class="nv"> </span><span class="s">"responseLength":"$context.responseLength"</span><span class="nv"> </span><span class="s">}'</span> </code></pre></div> <p>The custom format above is used by default when you use <code>provider.logs.httpApi: true</code>, but can be used as a reference in case you wanna change it.</p> <h1> All HTTP API options reference </h1> <p>To illustrate the possibilities with Serverless Framework, we can define the following options when using HTTP APIs:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">provider</span><span class="pi">:</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">id</span><span class="pi">:</span> <span class="s">ApiID</span> <span class="c1"># ID of externally created HTTP API to attach resources</span> <span class="na">timeout</span><span class="pi">:</span> <span class="m">5</span> <span class="na">cors</span><span class="pi">:</span> <span class="no">true</span> <span class="na">authorizers</span><span class="pi">:</span> <span class="na">myJwtAuthorizer</span><span class="pi">:</span> <span class="na">identitySource</span><span class="pi">:</span> <span class="s">$request.header.Authorization</span> <span class="na">issuerUrl</span><span class="pi">:</span> <span class="s">https://cognito-idp.${region}.amazonaws.com/${cognitoPoolId}</span> <span class="na">audience</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">xxxx</span> <span class="pi">-</span> <span class="s">xxxx</span> <span class="na">logs</span><span class="pi">:</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="no">true</span> <span class="na">functions</span><span class="pi">:</span> <span class="na">myFunction</span><span class="pi">:</span> <span class="na">handler</span><span class="pi">:</span> <span class="s">myFunction.handler</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">httpApi</span><span class="pi">:</span> <span class="na">method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/url-path/{param}</span> <span class="na">timeout</span><span class="pi">:</span> <span class="m">5</span> <span class="na">authorizer</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myJwtAuthorizer</span> <span class="na">scopes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">user.id</span> <span class="pi">-</span> <span class="s">user.email</span> </code></pre></div> <p>As we can see, the syntax is familiar and easy to use. Making the usage of HTTP APIs friendly and approachable for all projects already using Serverless Framework.</p> <h1> Conclusion </h1> <p>HTTP APIs are designed for low-latency, cost-effective AWS Lambda proxy and HTTP proxy APIs. HTTP APIs support OIDC and OAuth 2.0 authorization, and come with built-in support for CORS.</p> <p><strong>When should I used it?</strong></p> <p>With something quite new, it is always a hot topic! HTTP APIs main features orbiting around:</p> <ul> <li>JWT Authorizers for JWT AuthN / AuthZ</li> <li>Proxy based API, using Lambda or HTTP backend</li> <li>Built-in CORS support</li> </ul> <p>If you are already using or can support JWT token, most of your requests are being proxied to an AWS Lambda and you require CORS for your clients. <strong>You should use or migrate to HTTP API</strong>. With an infrastructure optimized and enhanced for these features, you will see great cost reduction with better performance.</p> <p>With this new flavour in Amazon API Gateway, the enhanced performance and lower costs can be a huge win when building JWT based APIs.</p> <p>The service is still <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html">limited to a few regions</a>, but if you deploying workloads on them already, get ready to pair it up with Serverless Framework and leverage all the advantages today!</p> <p>Written by Serverless Guru Eduardo Rabelo <br> <a class="comment-mentioned-user" href="https://dev.to/oieduardorabelo">@oieduardorabelo</a> <br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--LaARHv_6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/eufw2uqasm7pfqx8kgon.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LaARHv_6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/eufw2uqasm7pfqx8kgon.jpg" alt="Alt Text"></a></p> serverless aws tutorial