The latest articles on DEV Community by Thomas Rooney (@thomasrooney). https://dev.to/thomasrooney https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F831613%2F5c433c9c-0060-4851-bb5c-1a2c2dba2712.jpeg https://dev.to/thomasrooney en Thomas Rooney Mon, 30 Jan 2023 17:35:34 +0000 https://dev.to/aws-builders/api-authentication-in-depth-20ic https://dev.to/aws-builders/api-authentication-in-depth-20ic <h2> API Authentication In Depth </h2> <p>If you're selling an API Product, one of the first decisions you're going to have to make is how to authenticate your users. This decision, once made, is hard to go back upon; any significant change will require user action to keep their integration working.</p> <p>This blog post is intended to be a guide to the different API Authentication methods in common use, and the tradeoffs to consider between them, generally categorized into the following 3 metrics.</p> <ul> <li><strong>Time to API Call</strong></li> <li><strong>Ease of API Producer Implementation</strong></li> <li><strong>Ease of API Consumer Integration</strong></li> </ul> <p>This post is inspired by work we recently undertook at Speakeasy (API DevEx tooling company) to build an <a href="https://speakeasyapi.dev/docs/integrate-speakeasy/manage-api-keys" rel="noopener noreferrer">API Key authorization flow that integrates into any API Gateway, and allows users to self-service and rotate their keys</a>. For this project we evaluated all the standard approaches to authentication before deciding on a novel approach: signed tokens as API Keys, but with 1 signing key per API key. What follows are a deep dive on the typical methods, as well as our approach.</p> <h2> Types of Authentication </h2> <p>Authenticated APIs require some way of identifying the client making the request, so that the API provider can authorize the requests to be processed, and identify the subset of data that can be accessed.</p> <p>From an API Consumer perspective, the flow is usually:</p> <ol> <li>You get a <strong>Secret Key</strong> from the service (e.g. in an authenticated Web UI).</li> <li>You store that <strong>Secret Key</strong> somewhere securely, such that your application can access it.</li> <li>You use that <strong>Secret Key</strong> within your application logic to authenticate with the API.</li> </ol> <p>This is incredibly simple, and hence has great Developer Experience (DX).</p> <p>However, from an API Producer Perspective, it's not so simple. There are choices you need to make about how the <strong>Secret Key</strong> is implemented which greatly impacts the Security Model of your application. Once you have users in production, Machine to Machine (M2M) authentication is hard to change, assuming you don’t want to break existing integrated users. Therefore, choose wisely:</p> <ol> <li><strong>Opaque Token / Shared Secrets</strong></li> <li><strong>Public / Private Key Pairs</strong></li> <li><strong>OAuth 2.0 Secrets</strong></li> <li><strong>Signed Tokens (one Signing Key)</strong></li> <li><strong>Signed Tokens (many Signing Keys)</strong></li> </ol> <p>Let’s look at the advantages and disadvantages of each approach…</p> <h3> Opaque Tokens / Shared Secrets </h3> <p>An <em>Opaque Token</em> is a <em>Shared Secret</em> that is used to authenticate a client. It is <em>Opaque</em> in that there is no message to read: all you can do with it is look up its existence in a centralised store (e.g. a database), and then, if it exists, you know who the user is.</p> <p>This is functionally the same as a password, except that it is ideally generated by a process which ensures the entropy of the token is high enough that it is entirely unguessable.</p> <p>Assuming this token is passed into the API in the <code>Authorization</code> header, from an API Consumer perspective, accessing the API is as simple as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://api.example.com/v1/endpoint <span class="nt">--header</span> <span class="s2">"Authorization </span><span class="k">${</span><span class="nv">API_KEY</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <p>From an API Producer perspective, there's a few more moving parts, but it's usually pretty trivial to implement:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis8fa6rcc76riu4ozjr9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fis8fa6rcc76riu4ozjr9.png" alt="Shared Secrets Flowchart"></a></p> <ul> <li> <strong>Time to API Call</strong>: As Fast as it gets.</li> <li> <strong>Ease of API Consumer Integration</strong>: Very Easy</li> <li> <strong>Ease of API Producer Implementation</strong>: Very Easy</li> <li> <strong>Other Considerations</strong>: <ul> <li>Often Difficult to integrate into an API Gateway</li> <li>Any validation requires a lookup where-ever these are stored. If you solely store them in the DB, this means that all lookups require a DB Read, which can cause additional latency to every request.</li> </ul> </li> </ul> <h3> OAuth 2.0 Secrets </h3> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6w4agrntsdl8elctaz0b.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6w4agrntsdl8elctaz0b.png" alt="OAuth 2.0"></a></p> <p>OAuth is commonly associated with user authentication through a social login. This doesn't make sense for API applications, as the system authenticates and authorizes an application rather than a user.</p> <p>However, through the Client Credentials Flow (<a href="https://tools.ietf.org/html/rfc6749#section-4.4]" rel="noopener noreferrer">OAuth 2.0 RFC 6749, section 4.4</a>), a user application can exchange a <strong>Client ID</strong>, and <strong>Client Secret</strong> for a short lived Access Token.</p> <p>In this scenario, the <strong>Client ID</strong> and <strong>Client Secret</strong> pair are the <strong>Shared Secret</strong> which would be passed to the integrating developer to configure in their application. In the OpenID Connect (OIDC) protocol, this happens by making a request to the <strong>/oauth/token</strong> endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">TOKEN</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">--header</span> <span class="s2">"Content-Type: application/x-www-form-urlencoded"</span> <span class="se">\</span> <span class="nt">--request</span> POST <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"grant_type=client_credentials"</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"client_id=CLIENT_ID"</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"client_secret=CLIENT_SECRET"</span> <span class="se">\</span> https://auth.example.com/oauth/token | jq <span class="nt">-r</span> <span class="s1">'.access_token'</span><span class="si">)</span> curl <span class="nt">--header</span> <span class="s2">"Authorization Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> https://api.example.com/v1/endpoint </code></pre> </div> <ul> <li> <strong>Time to API Call</strong>: Slow.</li> <li> <strong>Ease of API Consumer Integration</strong>: Difficult</li> <li> <strong>Ease of API Producer Implementation</strong>: Difficult</li> <li> <strong>Other Considerations</strong>: <ul> <li>Can enable additional use-cases, such as granting third party systems the capability to make API calls on behalf of your users.</li> </ul> </li> </ul> <h3> Public/Private Key Pairs </h3> <p>A Public Private Key Pair allows for a user to hold a secret and the server to validate that the user holds a secret, without the server ever holding the secret. For the purpose of authenticating users, this mechanism has the lowest attack surface : i.e. it is the most secure.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq6yulxqw72bzv8cwg1nx.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq6yulxqw72bzv8cwg1nx.png" alt="Public/Private Key pairs"></a></p> <p>The cost and complexity of building and maintaining a Public/Private Key Authentication mechanism, without exposing the Private Key, opening up replay attacks, or making a mistake in implementation somewhere can be high.</p> <p>If you're selling an API to multiple consumers, it's unlikely that it will be as trivial as the following <code>curl</code> to invoke the API that you want; as the integrating system will need to understand the protocol you choose. There are also complexities regarding the certificate lifecycle, and the need to either manage certificate rotation, or pin (hardcode) each certificate into the system.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># mTLS via curl: Should you be looking to grant unscoped access to a specific API Route to trusted consumers,</span> <span class="c"># this can usually be configured by some API Gateway products in infrastructure configuration. </span> curl <span class="nt">--cacert</span> ca.crt <span class="se">\</span> <span class="nt">--key</span> client.key <span class="se">\</span> <span class="nt">--cert</span> client.crt <span class="se">\</span> https://api.example.com/v1/endpoint </code></pre> </div> <ul> <li> <strong>Time to API Call</strong>: Slow.</li> <li> <strong>Ease of API Consumer Integration</strong>: Difficult</li> <li> <strong>Ease of API Producer Implementation</strong>: Difficult</li> <li> <strong>Other Considerations</strong>: <ul> <li>Severity of the public key being leaked is functionally zero -- no intermediary system holds enough data to make/replay requests except the original sender.</li> </ul> </li> </ul> <h3> Signed Tokens as API Keys </h3> <p>A Signed Token is secret; in the same way that a Shared Secret is secret. </p> <p>However, due to standardization of technologies, it is starting to become commonplace to use long-lived Signed Tokens, in the form of JWTs (JSON Web Tokens), as API Keys. This enables the following pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--header</span> <span class="s2">"Authorization Bearer </span><span class="k">${</span><span class="nv">API_KEY</span><span class="k">}</span><span class="s2">"</span><span class="se">\</span> http://api.example.com/v1/endpoint </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftm1js03y78ak6t3mtxc5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftm1js03y78ak6t3mtxc5.png" alt="JWT Flowchart"></a></p> <ul> <li> <strong>Time to API Call</strong>: Fast.</li> <li> <strong>Ease of API Consumer Integration</strong>: Simple</li> <li> <strong>Ease of API Producer Implementation</strong>: Simple</li> <li> <strong>Other Considerations</strong>: <ul> <li>Difficult to revoke tokens: either a whitelist/blacklist is used (in which case, little advantage exists over shared secrets), or the signing key must be rotated.</li> <li>Easy to add complexity through custom claims into the token, which can lead to complexity migrating tokens into a new form.</li> <li>Easy to block requests from reaching application servers through an API Gateway and Asymmetric Keys (split into Private JWTs and Public JWKs).</li> </ul> </li> </ul> <h3> Our Approach: Signed Tokens as API Keys, but 1-Signing-Key-Per-API-key </h3> <p><a href="https://dev.to/docs/integrate-speakeasy/manage-api-keys">Integration Documentation available here</a></p> <p>There are 3 problems with the Signed Tokens as API Keys pattern:</p> <ol> <li>Revoking a key is hard: it is very difficult for users to revoke their own keys on an internal compromise.</li> <li>Any compromise of the Signing Key is a compromise of all keys.</li> <li>API Gateways can't usually hook into a whitelist/blacklist of tokens.</li> </ol> <p>To tackle these, we can do three things:</p> <ol> <li>Use Asymmetrically Signed JWTs, storing and exposing a set of Public Keys via a JWKS (JSON Web Key Set) URI.</li> <li>Sign each Token with a different Signing Key; burn the Signing Key immediately afterwards.</li> <li>Ensure that API Gateways only retain a short-lived cache of JWKS (the Public Key to each Signing Key).</li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foqlg3wvfh0juor4avhqu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foqlg3wvfh0juor4avhqu.png" alt="Multi-Key JWTs"></a></p> <p>This gives us a flow that's very similar to a shared secret, but with the advantage that:</p> <ul> <li>Revoking a key is easy: the Public Key just needs to be removed from the JWKS and caches invalidated.</li> <li>There is no Signing Key to compromise ; all Authorization Server state can be public.</li> </ul> <p>With the tradeoff:</p> <ul> <li>Any API Gateway that validates a JWT must be able to regularly fetch JWKS (and cache them) from the Authorization Server. E.g. in AWS's API Gateway, you would configure a <code>jwks_uri</code> that points at your public keys.</li> <li>After creating/revoking a key, there will be a short time delay (we generally configure this to be 15 seconds) whilst the key propagates into all API Gateway JWK caches.</li> <li>More compute is required when constructing the Initial API Key; due to the generation of a public/private key pair.</li> <li>You need to give the API Gateway application cluster slightly more memory to keep all Public Keys (1 per API key) in memory.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F30b4z0244is50eaqyzqa.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F30b4z0244is50eaqyzqa.gif" alt="What It Looks Like"></a></p> <h4> In Practice: Envoy / Google Endpoints / EspV2 </h4> <p>Envoy is a proxy server that is used to route traffic to a backend service. We ran extensive tests with ESPV2 (Envoy Service Proxy V2) and Google Endpoints, and found/validated the following performance characteristics as the number of keys increased.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Espv2 is configured with an OpenAPI specification to use an external JWKs URI to validate incoming API Keys</span> <span class="na">securityDefinitions</span><span class="pi">:</span> <span class="na">speakeasy_api_key</span><span class="pi">:</span> <span class="na">authorizationUrl</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">flow</span><span class="pi">:</span> <span class="s2">"</span><span class="s">implicit"</span> <span class="na">type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">oauth2"</span> <span class="na">x-google-issuer</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://app.speakeasyapi.dev/v1/auth/oauth/{your-speakeasy-workspace-id}"</span> <span class="na">x-google-jwks_uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://app.speakeasyapi.dev/v1/auth/oauth/{your-speakeasy-workspace-id}/.well-known/jwks.json"</span> <span class="na">x-google-audiences</span><span class="pi">:</span> <span class="s2">"</span><span class="s">acme-company"</span> </code></pre> </div> <p>We ran benchmarks of up to 1138688 API keys, structured as public/private 2048-bit RSA keypairs with a single RS256 Signed JWT-per-JWK, using a 8GiB Cloud Run managed Espv2 instance. At this key size and at ~100 requests/second, we observed a peak of ~37% utilization of memory, with ~7% utilized at no API keys. This implies an 8GiB EspV2 instance should scale to ~3M API Keys at this request rate.</p> <p>This also implies that this mechanism will scale with Envoy RAM with a minor deviation in maximum latency, to the degree of ~3.5ms additional maximum request latency every 8192 API keys. The average additional latency introduced by large numbers of API keys is affected to a much lesser degree, ~0.2ms every 8192 API Keys.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmkayca3h42exsrn9mm2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbmkayca3h42exsrn9mm2.png" alt="Performance Consequences"></a></p> <p>Given most API Applications have less than 3M API Keys active at any given time, this approach, in our belief, combines the best of both worlds: Public/Private Key Crypto, with the ease of an API Key.</p> api security devops tutorial Thomas Rooney Wed, 04 May 2022 11:10:10 +0000 https://dev.to/aws-builders/make-your-end-to-end-tests-fast-557c https://dev.to/aws-builders/make-your-end-to-end-tests-fast-557c <h2> Reflow v4.14.0 </h2> <p>If your end-to-end tests are slow, you will either avoid running them, or waste time and delay your release cadence. A fast end-to-end test suite is a valuable asset to your team's productivity.</p> <p>We released <a href="https://reflow.io/changelog" rel="noopener noreferrer">Reflow v4.14.0</a> today, which reduces our average end-to-end test sequence time by ~70%. We're writing this article to explain how. <a href="https://reflow.io/readme" rel="noopener noreferrer">Reflow</a> is a low-code tool that helps your team develop and maintain resilient end-to-end tests. We use <a href="https://playwright.dev" rel="noopener noreferrer">playwright</a> under the hood, so anything we've done can be applied regardless of if you use Reflow or not.</p> <h2> Embarrassingly Parallel Testing </h2> <p>Your end-to-end test suite <em>must</em> run user steps in a flow syncronously, but <strong>should</strong> run multiple independent flows in parallel.</p> <p>In reflow, we embrace this with our distributed architecture. <a href="https://reflow.io/readme#pipelines" rel="noopener noreferrer">Test Composition with Pipelines</a> allows for <code>N</code> servers to be created to handle <code>N</code> user flows: you just need to design your test suites to be able to run in parallel.</p> <p>Despite this ethos, synchronous code can easily creep in.</p> <p>For example, the following code handles a progressive test update providing realtime user feedback: taking in an array of updating steps and executing them sequentially.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">action</span> <span class="k">of</span> <span class="nx">toUpdate</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">queryAll</span><span class="o">&lt;</span><span class="nx">ActionInContextModel</span><span class="p">,</span> <span class="nx">MutationUpdateActionInContextArgs</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">client</span><span class="p">,</span> <span class="p">{</span> <span class="na">mutation</span><span class="p">:</span> <span class="nx">shallowUpdateActionInContext</span><span class="p">,</span> <span class="na">variables</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="nx">action</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>This can trivially be re-written to run in parallel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="nx">toUpdate</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">action</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">queryAll</span><span class="o">&lt;</span><span class="nx">ActionInContextModel</span><span class="p">,</span> <span class="nx">MutationUpdateActionInContextArgs</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">client</span><span class="p">,</span> <span class="p">{</span> <span class="na">mutation</span><span class="p">:</span> <span class="nx">shallowUpdateActionInContext</span><span class="p">,</span> <span class="na">variables</span><span class="p">:</span> <span class="p">{</span> <span class="na">input</span><span class="p">:</span> <span class="nx">action</span><span class="p">,</span> <span class="p">},</span> <span class="p">}))</span> <span class="p">);</span> </code></pre> </div> <p>Reflow uses AppSync Resolvers with Serverless DynamoDB to power our APIs. This scales up/down as needed, so we see absolutely no negative impact doing more in parallel. We fixed this is v4.12.1, and in v4.14.0 we're enhancing that further by introducing an additional caching layer to reduce S3 object pushes for screenshot images.</p> <h2> Conditional Stability </h2> <p>Reflow <em>learns</em> about your application, and uses that knowledge to keep recorded tests stable. However, keeping recorded tests stable often takes time; from v4.14.0 Reflow now dynamically reduces its stability methods by introducing additional logic to determine if they're necessary or not.</p> <p>Prior to v4.14.0, this section of code would always wait for the three events after every action: a <code>load</code> event, a <code>networkidle</code> event, and <code>screenshotstable</code> event.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">private</span> <span class="k">async</span> <span class="nf">pageStable</span><span class="p">(</span><span class="nx">baselineAction</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">page</span><span class="p">.</span><span class="nf">waitForLoadState</span><span class="p">(</span><span class="dl">'</span><span class="s1">load</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">30000</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">verbose</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">test</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">"</span><span class="s2">waitForLoadState('load')</span><span class="dl">"</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">page</span><span class="p">.</span><span class="nf">waitForLoadState</span><span class="p">(</span><span class="dl">'</span><span class="s1">networkidle</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">5000</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">verbose</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">test</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">"</span><span class="s2">waitForLoadState('networkidle')</span><span class="dl">"</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">screenshotStable</span><span class="p">(</span><span class="nx">baselineAction</span><span class="p">?.</span><span class="nx">preStepScreenshot</span><span class="p">?.</span><span class="nx">image</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <code>load</code> - wait for the load event to be fired. This event fires when all markup, stylesheet, javascript and all static assets like images and audio have been loaded.</li> <li> <code>networkidle</code> - wait until there are no network connections for at least 500 ms.</li> <li> <code>screenshotStable</code> - waits until the screenshot either matches a given baseline screenshot, or the page stops animating as two subsequent screenshots look the same</li> </ol> <p>Unfortunately, if the page is already stable, but has background network requests, this will introduce a 5s delay due to the <code>networkidle</code> state. To avoid this, we now only wait for <code>networkidle</code> when the action historically had a navigation, or when the run is executed with an optional flag to enforce all stability checks.</p> <p>The lesson here is to only use stability methods when it's truly necessary to do so. Do not add them arbitrarily to your code, but sprinkle them across it when test actions need a stability enhancer.</p> <p>Reflow will dynamically learn about your application by hooking into DOM and Network events. If you want to spend less effort maintaining your end-to-ends, give it a try.</p> <h2> No more explicit waits </h2> <p>In many companies, when there's an issue with end-to-end stability, adding a <code>await wait(1000)</code> or equivalent to just delay test action execution is a common strategy.</p> <p>This is a far greater sin than arbitrarily using stability methods. Stability methods will exit early once their stability event fires. If you're feeling lazy, at the very least try a <code>waitForLoadState</code> rather than a <code>wait</code> first.</p> <p>If you're up for writing a bit more code, try writing a <code>waitUntil</code> clause that explicitly waits for some page state to be set when the page is stable. Whilst reflow supports a <code>wait</code> action, we advise our clients to always use a visual assertion instead. This will wait (up until an arbitrary configurable maximum) until a page element looks like a recorded baseline. If it doesn't reflow can be configured to continue or fail the test.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxlo7s0vroqhkevqk4pwj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxlo7s0vroqhkevqk4pwj.png" alt="Inspect Visual Assertions"></a></p> <p>A few <code>wait(X)</code> statements creep into the reflow codebase over time. It's tempting to add them into new features to lazily increase stability enough to ship the feature. In v4.14.0, we've ruthlessly culled all explicit <code>wait</code> invocations from hot code paths, replacing them with dynamic wait times tuned based on application under test.</p> <h2> Move compute outside hot pathways </h2> <p>Reflow uses a visual comparison algorithm (SSIM weighted Pixel Diff) to compute visual changes. It captures full-height web pages, then compares these to baseline images to compute stability and inform the user of page changes.</p> <p>This is done entirely on the CPU, and is therefore relatively slow: for a page that's 1080 x 10000px in height we find it can block the main thread for 2-3 seconds. This has been a major performance bottleneck for large applications.</p> <p>Some of these visual comparisons are done to compute stability, but for those that are for providing visual feedback they don't need to be on the main thread; instead we now return a promise that gets dynamically resolved when needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">private</span> <span class="k">async</span> <span class="nf">screenshotStable</span><span class="p">(</span><span class="nx">baselineScreenshot</span><span class="p">:</span> <span class="nx">S3ObjectInput</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">diff</span><span class="p">:</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ComparisonModel</span> <span class="o">|</span> <span class="kc">undefined</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">current</span><span class="p">?:</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">S3ObjectInput</span> <span class="p">};</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="cm">/* ... */</span> <span class="p">}</span> </code></pre> </div> <h2> Move compute into worker threads </h2> <p>By default, all compute in Node.JS is single-threaded. It's usually not worth the effort to build multi-threaded applications: most node.js processes can handle work by distributing it amongst processes, rather than having to deal with threads.</p> <p>In Reflow, because of the compute-heavy nature of image comparison, we've moved it into a worker thread. This ensures that there's no halting of the application during a visual comparison: all other asyncronous processes (such as realtime uploads of test progress) can be handled in parallel with image comparison.</p> <p>We did this via the npm <a href="https://threads.js.org/" rel="noopener noreferrer">threads</a> wrapper and <a href="https://esbuild.github.io/" rel="noopener noreferrer">esbuild</a>. We first moved all of our compute code into a new file with minimal imports, called <code>imageCompare.worker.js</code>. We then added a pre-compilation step with esbuild to compile this file into a bundle. We then spawn the worker using this generated file as a blob, and interact with it via the <code>threads</code> promise interface.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">expose</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">threads/worker</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">isMainThread</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">worker_threads</span><span class="dl">'</span><span class="p">;</span> <span class="cm">/* ... */</span> <span class="kd">const</span> <span class="nx">workerExports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">configureWorker</span><span class="p">,</span> <span class="nx">compareFiles</span><span class="p">,</span> <span class="nx">compareScreenshots</span><span class="p">,</span> <span class="p">};</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isMainThread</span><span class="p">)</span> <span class="p">{</span> <span class="nf">expose</span><span class="p">(</span><span class="nx">workerExports</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">ImageCompareWorkerExports</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">workerExports</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">spawn</span><span class="p">,</span> <span class="nx">BlobWorker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">threads</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">ImageCompareWorkerExports</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./imageCompare.worker</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">configureWorker</span><span class="p">,</span> <span class="nx">comparePNG</span> <span class="k">as</span> <span class="nx">workerComparePng</span><span class="p">,</span> <span class="nx">cropImage</span> <span class="k">as</span> <span class="nx">workerCropImage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./imageCompare.worker</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">source</span> <span class="k">as</span> <span class="nx">workerBlob</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../generated/imageCompare.workerSource</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">logger</span><span class="p">,</span> <span class="p">{</span> <span class="nx">getLevel</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../logger</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">worker</span><span class="p">:</span> <span class="nx">ImageCompareWorkerExports</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">bootImageCompareWorker</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">worker</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">spawn</span><span class="o">&lt;</span><span class="nx">ImageCompareWorkerExports</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">BlobWorker</span><span class="p">.</span><span class="nf">fromText</span><span class="p">(</span><span class="nx">workerBlob</span><span class="p">));</span> <span class="nf">configureWorker</span><span class="p">(</span><span class="nf">getLevel</span><span class="p">(</span><span class="nx">process</span><span class="p">?.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">LOG_LEVEL</span><span class="p">));</span> <span class="k">return</span> <span class="nx">worker</span><span class="p">.</span><span class="nf">configureWorker</span><span class="p">(</span><span class="nf">getLevel</span><span class="p">(</span><span class="nx">process</span><span class="p">?.</span><span class="nx">env</span><span class="p">?.</span><span class="nx">LOG_LEVEL</span><span class="p">));</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">fatal</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error starting worker</span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">compareFiles</span><span class="p">(</span><span class="nx">imageA</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">imageB</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">outFile</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">worker</span><span class="p">.</span><span class="nf">compareFiles</span><span class="p">(</span><span class="nx">imageA</span><span class="p">,</span> <span class="nx">imageB</span><span class="p">,</span> <span class="nx">outFile</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">compareScreenshots</span><span class="p">(</span><span class="nx">preData</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="nx">postData</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="nx">options</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">ScreenshotCompareOutput</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">worker</span><span class="p">.</span><span class="nf">compareScreenshots</span><span class="p">(</span><span class="nx">preData</span><span class="p">,</span> <span class="nx">postData</span><span class="p">,</span> <span class="nx">options</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Track your releases, run end-to-end tests once per release </h2> <p>Your end-to-end tests should be focused on catching regressions, not <em>heisenbugs</em>: if they pass once on a release you shouldn't execute them again.</p> <p>In v4.14.0 we made our first step towards helping QA teams do this: source-map powered release tracking. Reflow now hashes and downloads all source maps associated with a given release (conditionally with a regular expression to filter them to application code) to create a version identifier. This means that it can track when your application is released, and hence allow you to determine if an end-to-end sequence has already been successfully executed on that release.</p> <p>This is currently opt-in, as we're still working out how to make downloading sourcemaps not affect the performance of a test execution when large numbers of them are exposed. We've built a sourcemap explorer and a simple UI to help guide our customers on what's currently executing within an environment.</p> <h2> TL;DR </h2> <ol> <li>Cull all sleep statements: always wait for specific events. Only introduce stability methods when necessary.</li> <li>Execute your tests in parallel</li> <li>Intelligently Cache Tests; don't bother executing them more than once per release</li> </ol> <p>If you're feeling adventurous, try reflow: a low-code record/replay test automation SaaS that will try to do all this for you, fast.</p> <p><em>Minor caveat: self-host reflow for maximum speed. We use AWS Fargate to spin up per-user ephemeral browser instances, which have ~1 minute cold startup times on the first use of a test recorder.</em></p> testing devops webdev programming Thomas Rooney Wed, 13 Apr 2022 09:46:06 +0000 https://dev.to/thomasrooney/introduction-to-software-qa-tooling-in-2022-55c3 https://dev.to/thomasrooney/introduction-to-software-qa-tooling-in-2022-55c3 <h2> What is Software QA </h2> <p>We want to build bug-free and high quality software, that satisfies a customer need. Unfortunately, it's not easy!</p> <p>Software QA is a set of processes and practices to help ensure that the software we produce is of high quality, meets our requirements and is free of defects. </p> <p>There are no silver bullets, no optimal tools or strategies to achieving good QA in every organization. However, there are often very significant QA inefficiencies and, with founders observing this, there has been significant development effort placed into building new tools to help streamline QA. These tools can drastically drop the cost of high-quality software development, and hence are very worthwhile to evaluate.</p> <p>In this article I'll summarize 3 QA patterns we've seen inside organizations, how these can be made to work, and how they often fall short. I'll discuss how to evaluate tooling, and give a brief evaluation of the tool I've been building at <a href="https://reflow.io">reflow.io</a>. I'll finally give a list of other emerging tooling in this space, and some ways these tools differentiate from each other. </p> <h2> Popular Strategies for Software QA </h2> <h3> Strategy 1: Only developers do QA </h3> <p>The development team is the gatekeeper to code quality. They are responsible for all code changes, and will naturally build automated tests as part of development. Developers build something, hopefully feel responsible for what they build, and hence hopefully that responsibility can convert into product quality when they manage QA exclusively. </p> <h4> When it works </h4> <p>Organizations that can pull this off have a few things in common. They have:</p> <ul> <li>A culture that values high quality work output</li> <li>Hiring practices that embed the skills to build automated tests into development teams</li> <li>Procuring tooling that allow the easy creation of automated tests</li> </ul> <h4> When it doesn't work </h4> <p>This is a great idea in theory, but it's rarely a practical reality.</p> <ol> <li>Developer prioritization is often tightly controlled, and QA is (often rightly) prioritized behind feature development. It's hard to get automated testing to keep up with the speed of development.</li> <li>Developers will often have a different view of what is high quality than the end user of the software. They often have a natural bias towards their concept of the happy path, and lack the perspective of a potential customer.</li> <li>Developer compensation and career growth is often tightly linked to feature development, rarely linked to QA output. Exclusively developer-managed QA leads to a natural tendency to want to "ship the feature" and move on to the next thing.</li> </ol> <h3> Strategy 2: A siloed QA team does QA </h3> <p>A team of QA specialists are brought in to test software, often working in an isolated silo away from the development team. They have full control of QA priorities, and are charged with creating automated tests, as well as manual testing as required.</p> <h4> When It Works </h4> <ul> <li>Should the QA team establish themselves as a trusted advisor to the development team, this can work well.</li> <li>QA teams that can both build that relationship and deeply engage with the product from a customer-centric perspective can offer value not just in building product quality, but in aligning the product with the customer's needs. </li> </ul> <h4> When it doesn't work </h4> <ol> <li>When the QA team lacks the experience to engage with the product, it can be hard for them to do valuable QA activities.</li> <li>When the QA team lack the tools to effectively automate testing in a cost-effective way, they can quickly become overwhelmed and grow into a liability instead of an asset. </li> <li>There is a natural tendency for QA to become a bottleneck to release, and a scapegoat if things go wrong.</li> </ol> <h3> Strategy 3: Dev team embeds QA personnel within it. </h3> <p>In this model, the development team embeds QA personnel within it. The QA team is responsible for QA, but they are part of the development team, and are integrated into the development team's process.</p> <p>This is a good compromise between the developer-only QA model, and the siloed QA model. When QA personnel are part of the development team, they are naturally more invested in the quality of the product, and are naturally integrated into the development process, allowing them to provide input into the process at an earlier stage.</p> <h4> When it doesn't work </h4> <ol> <li>When QA teams are embedded in development teams, they are often pulled into the development team's process, and it can be hard for them to maintain their QA focus.</li> <li>QA Personnel integrated with the development team naturally become influenced by pressures that influence the development, and inherit the biases of the development team, especially if they also work on features.</li> <li>When QA personnel aren't deeply experienced in automated testing, they can be a drag on development team productivity.</li> <li>Since QA personnel are often individually allocated to a project, upon their leaving knowledge can be easily lost. This strategy can introduce significant Churn vulnerability. </li> <li>As the Dev team scales, most teams specialize and silo. This pattern often naturally falls apart as priorities are shifted and teams are split.</li> </ol> <h3> Tooling </h3> <p>Whichever strategy is taken, tooling choices are key to successful software QA. Without tooling, QA is manual, and manual QA does not scale anywhere near as well as software.</p> <p>All QA tooling has a fundamental aim: <strong>"Reducing the severity of bugs"</strong>, and/or <strong>"Reducing the likelihood of bugs"</strong>. Both commercial and non-commercial tool options should be evaluated against these goals in a specific context. </p> <h4> Fast deployment / monitoring: Reduce severity of bugs </h4> <p>If the product can be deployed fast, is heavily monitored, and has resilient data architecture, then QA is fundamentally less important. E.g. if a bug is fixed minutes from when its found, and the severity is such that there's no long-lasting impact from the bug, then resources spent on pre-release becomes less well-spent.</p> <p>Hence, especially for early-stage products, investments in Monitoring and Continuous Deployment tooling are of higher value than investments in test automation. </p> <p>This will usually change over time as a product becomes more complex and developers churn. When this happens, investments in Test Automation tooling to enable a team to release faster can be incredibly cost-effective.</p> <h4> Efficiency of Test Automation: Reduce likelihood of bugs </h4> <p>Test Automation is the only foolproof method we have to ensure that bugs are found before a release, that scales to arbitrary product complexity. As such, for any products where the severity of bugs is high, and that undergoes continuous development, this is the only way of achieving a high quality product in the long term.</p> <p>There are a large (and growing) number of tools that try to improve product team's effectiveness of test automation, focusing on different pain points and user stories. There is a natural efficiency gain by using a commercial tool: by embedding machine-learned application configuration into a database, a commercial tool can provide features that are very difficult to provide by using an open-source tool alone. </p> <p>By virtue of the vast number of different ways that product teams develop software, be wary of picking the wrong tool, and evaluate carefully based on your unique needs. All SaaS Test Automation tools cause some degree of lock-in. When your product team churns, or your QA needs out-grow the tool, then you might find that your testing effort stagnates.</p> <h3> About Reflow </h3> <p><a href="https://reflow.io">Reflow</a> is a tool that allows non-technical QA personnel to implement end-to-end tests using a no-code recording UI, supported by engineers importing snippets of their end-to-end test suite.</p> <p>It is designed to be highly flexible, with developers able to add their own browser interactions into the no-code UI using playwright. It is also designed for record/replay processes to be available <strong>both</strong> in a web UI at <a href="https://app.reflow.io">app.reflow.io</a>, and running on a local machine via a CLI tool, including in a Continuous Integration server.</p> <ul> <li> <strong>"Reducing the severity of bugs"</strong>: Reflow can be used as a low-code tool for visual monitoring of a software product, to quickly recognize when a site has regressed. Target your production application to use Reflow for <em>Synthetic Monitoring</em>.</li> <li> <strong>"Reducing the likelihood of bugs"</strong>: Reflow can be used to enhance the <em>efficiency</em> of automated testing processes, by enabling non-technical QA personnel to design, develop, and implement test automation strategies; allowing their work to be run automatically by a CI server or on a developer's machine locally.</li> </ul> <h4> When It Works </h4> <p>Reflow is best used by teams that have a mix of technical and non-technical staff testing an application. Its workflows focus on enabling them to work together better, by enabling the development team to enhance QA team workflows with snippets from their end-to-end test suite; and the QA team to enhance a developer's workflow by giving them business-specific sequences and tests that they can run as part of their Continuous Integration tooling.</p> <p>Reflow works best when Engineering teams integrate the CLI tool directly into their codebase; executing QA-managed test sequences against locally running software.</p> <h4> When It Doesn't Work </h4> <p>Reflow will provide little value when a product is entirely tested by a development team. A development team can almost always manage a versioned end-to-end testing framework with greater ease than an invoked tool that they record in a web UI.</p> <p>The value that reflow can provide to an entirely developer-owned qa-cycle are <em>observability</em> of end-to-end test runs, <em>audit records</em> and <em>screenshot-capture/comparison</em>. However, if these are not important to your product, it's worth looking for other tools.</p> <p>Reflow is also currently only available via <a href="https://aws.amazon.com/marketplace/pp/prodview-7ztwtzccsucde">AWS Marketplace</a> under their <a href="https://d7umqicpi7263.cloudfront.net/eula/product/b9a9aeef-2558-4cd2-89f6-f30d199d9515/6a38cb99-ccf7-4ae6-b332-01e98c06d232.pdf">Standard Terms and Conditions</a> for Subscription Products, meaning paying users must have an AWS account. </p> <h4> Request for feedback </h4> <p>Reflow is a bootstrapped product, built by 1 engineer, with 1 engineer's insights into QA, and a small amount of external feedback from its growing user-base. We'd love to get more feedback to we ensure we build the best product we can.</p> <h3> Tooling Category: Record/Replay Test Automation Tools </h3> <p>These tools are aimed towards product teams that want to use code-free automated testing: this enables non-developers to contribute towards automated testing of a product. They often have features like <a href="https://reflow.io/readme#auto-healing">auto-healing</a>, <a href="https://reflow.io/readme##visual-assertions">visual-regression-testing</a>, <a href="https://reflow.io/readme#capabilities">data-driven-testing</a> and <a href="https://reflow.io/readme#mobile-device-emulation">cross-browser-testing/responsiveness-testing</a>.</p> <ul> <li> <a href="https://reflow.io">reflow.io</a> (Launched 2022)</li> <li> <a href="https://preflight.com/">preflight.com</a> (Launched 2021)</li> <li> <a href="https://www.rainforestqa.com/">rainforestqa.com</a> (Launched 2021)</li> <li> <a href="https://reflect.run">reflect.run</a> (Launched 2020)</li> <li> <a href="https://mabl.com">mabl.com</a> (Launched 2018)</li> <li> <a href="https://ghostinspector.com/">ghostinspector.com</a> (Launched 2014)</li> <li> <a href="https://testim.io">testim.io</a> (Launched 2014)</li> </ul> <h4> Differentiating these tools: Which one is best for your needs? </h4> <p>Whilst these tool have <em>many commonalities</em>, they each have a set of capabilities that aligns them to different products and product teams.</p> <ul> <li> <strong>Local Testing</strong>: Some tools work locally, some do not. Some partially support it through the use of a network tunnel. <ul> <li>Reflow supports Local testing via a npm package, allowing the entire record/replay process to be executed on your Windows, Mac or Linux system.</li> </ul> </li> <li> <strong>Mobile Testing</strong>: Some tools support mobile device emulation, some use real mobile devices, some do not support this at all. <ul> <li>Reflow supports mobile device emulation, but does not run tests on real mobile devices.</li> </ul> </li> <li> <strong>Cross Browser Testing</strong>: Most tools support execution of tests in more than one browser engine, but some only support one browser. <ul> <li>Reflow wraps <a href="https://playwright.dev">playwright</a>, and thus allows for test execution in Edge, Chrome, Firefox and Safari. However, tests can only be recorded in Chromium based browsers.</li> </ul> </li> <li> <strong>Selector Stabilisation</strong>: Some tools rely entirely on visual mechanisms to stabilize element selectors: some rely entirely on CSS selectors. Some do both. <ul> <li>Reflow stabilizes/auto-heals selectors with both CSS and visual data. However due to this it only supports web applications. </li> </ul> </li> <li> <strong>Customization</strong>: Most tools allow for the execution of JavaScript in the browser, but not all allow for deeper configuration of the test execution environment. <ul> <li>Reflow supports adding custom actions via importing <a href="https://reflow.io/readme#snippets">parameterized playwright snippets</a>. These snippets allow for arbitrary configuration of the test environment.</li> </ul> </li> <li> <strong>Data Export</strong>: Using a code-free tool usually means your data will be held inside the tool, and not in your codebase. Each tool differs in how to leave it. <ul> <li>Reflow allows you to export all your data at any time via its CLI. It also has specific workflows for <a href="https://reflow.io/blog/regenerating-documentation">extracting product screenshots from test runs</a>, and can export its test into playwright code. </li> </ul> </li> <li> <strong>Integrations</strong>: Some tools have vendor-specific integrations. Some are self-contained, and can be executed over a CLI in any server. <ul> <li>Reflow can be executed in a CLI runner after just an <code>npm install reflowio</code> command. This means it can be added directly into any existing CI/CD pipeline. </li> <li>Reflow does not have vendor-specific integrations for tools like JIRA, Slack, or TestCafe </li> </ul> </li> <li> <strong>Cost</strong>: Some tools have a trial period, some have a free-tier. Many do not publish pricing details and may provide company-specific quotes after they understand what your business will afford. <ul> <li>Reflow is available via <a href="https://aws.amazon.com/marketplace/pp/prodview-7ztwtzccsucde">AWS Marketplace</a>, giving transparency over all its <a href="https://reflow.io/pricing">pricing metrics</a> and with <a href="https://reflow.io/docs/cost_management/image_retention">cost-management</a> options to ensure there are no unexpected charges.</li> </ul> </li> <li> <strong>API Testing</strong>: Some tools provide specific workflows for API Testing, and allow for it to be done using a code-free workflow <ul> <li>Reflow requires API testing be done via snippets, and lacks a code-free workflow for API testing. </li> </ul> </li> <li> <strong>Desktop Application Testing</strong>: Some tools support more than just Web UIs, also executing on desktop applications <ul> <li>Reflow only supports Web UIs</li> </ul> </li> <li> <strong>Isolation</strong>: Some tools are experimenting with <em>Test Isolation</em>: I.e. isolating the test execution from different parts of the application. For example, some may have first-class network mocking/replay capabilities, that enable fully deterministic UI replay. <ul> <li>Reflow is experimenting with <strong>Unit Test Generation</strong> for React components using Runtime Execution Analysis via Source maps. However this isn't yet live. We're not sure on the utility for test isolation yet.</li> <li>Reflow snippets can enable network mocking/replay functionalities via playwright APIs.</li> </ul> </li> <li> <strong>Visual Regression Testing</strong>: Almost all tools have different approaches to visual regression testing. These approaches will work better for some products, but not all. <ul> <li>Reflow Visual Regression Testing is implemented with <a href="https://en.wikipedia.org/wiki/Structural_similarity">SSIM-weighted</a> pixeldiff. This will minimize picking up minor rendering differences between browsers, and highlight significant rendering differences when they are close together.</li> </ul> </li> </ul> webdev testing playwright javascript Thomas Rooney Wed, 06 Apr 2022 15:28:48 +0000 https://dev.to/thomasrooney/fixing-flaky-end-to-end-tests-with-playwright-and-reflowio-116e https://dev.to/thomasrooney/fixing-flaky-end-to-end-tests-with-playwright-and-reflowio-116e <p>End-to-end testing is a Quality Assurance technique that involves exercising and validating an application's workflow from start to finish.</p> <p>This technique aims to reproduce real user scenarios and validate expectations over application output.</p> <p>Unfortunately, end-to-end testing has problems that make tests difficult to maintain:</p> <ol> <li>The testing process must generally assume that the system is in a <strong>consistent starting state</strong>. This might require seeding or wiping test data before/after the test is run.</li> <li>When <strong>application changes</strong> are made, there may need to be changes to the test sequence to handle the application update.</li> <li>Even when nothing changes, sometimes tests will fail anyway. Such tests are denoted as <strong>flaky</strong>.</li> </ol> <p>In building <a href="https://reflow.io">reflow.io</a>, we have accrued a toolkit of strategies to fix <em>flaky</em> tests, and automatically heal the test sequence when there are <em>application changes</em>. Reflow is a SaaS tool that allows your QA team to build/maintain your end-to-end test suite using a no-code UI. It has powerful primitives that cover the majority of automation scenarios, but can also be enhanced by importing code snippets from your end-to-end tests to power workflows specific to your application. This article is a summary of the techniques we use, and how to apply them into your test suite, regardless of whether you use reflow or not.</p> <h2> Why does this matter? </h2> <p>Time is a precious resource for all product teams. It must be protected and spent wisely. <strong>Flaky tests cost time</strong>.</p> <ul> <li>Every time a test flakes, generally someone will investigate whether the failure is a true-failure, or a false-positive. The time cost of this can become very significant.</li> <li>A test may have downstream dependencies that cannot run until the test is re-run, or fixed. This can often escalate the time cost.</li> <li>The failed test may place your system into a non-deterministic state, which may then require manual effort to fix.</li> </ul> <p><strong>Emotional Damage</strong></p> <ul> <li>The very existence of an automated tests implies that someone cared enough to automate away some manual effort.</li> <li>When that manual effort returns through a test flake, there is an emotional toll.</li> <li>If the flake cannot be removed, the team will be very aware that they are stuck maintaining them in perpetuity. </li> </ul> <p><strong>Automation Trust</strong></p> <ul> <li>If the tests are flaky, the tests will not be trusted.</li> <li>If the tests are not trusted, they will become gradually deprecated and eventually removed.</li> <li>If the product team does not replace these tests, the codebase will lose test coverage, and may become less trusted.</li> <li>If the codebase is less trusted, productivity will suffer. </li> </ul> <h2> Mitigations </h2> <h3> Strategy 1: Generic pre-action stability </h3> <p>The most common flake reason that we see is caused by interacting with the page too quickly. Page elements often get rendered before they can be successfully interacted with. This means just checking for their existence is often not enough.</p> <p>There are a few generic actions that can be done to increase the likelihood that the page is fully loaded before it is interacted with.</p> <p>In playwright, these stability method are available at the <a href="https://playwright.dev/docs/api/class-frame#frame-wait-for-load-state">waitForLoadState</a> api.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nx">waitForLoadState</span><span class="p">(</span><span class="dl">'</span><span class="s1">domcontentloaded</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">15000</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nx">waitForLoadState</span><span class="p">(</span><span class="dl">'</span><span class="s1">load</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">30000</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nx">waitForLoadState</span><span class="p">(</span><span class="dl">'</span><span class="s1">networkidle</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">5000</span> <span class="p">});</span> </code></pre> </div> <p>These 3 load events are:</p> <ol> <li> <code>domcontentloaded</code> - wait for the DOMContentLoaded event to be fired. This fires when the initial page document is loaded and parsed. For SPAs, stylesheets, images and javacript will generally not be loaded when this event fires. Hence it is usually preferable to rely on the <code>load</code> event instead.</li> <li> <code>load</code> - wait for the load event to be fired. This event fires when all markup, stylesheet, javascript and all static assets like images and audio have been loaded. For many SPAs, which dynamically load data after the page renders its initial document, the <code>load</code> event may not be enough. </li> <li> <code>networkidle</code> - wait until there are no network connections for at least 500 ms. This is a useful event to hook into for SPAs which load data after they have their initial render. However, it may either be too early or too late for page interaction.</li> </ol> <p>In reflow, there is an optional 4th event: <code>screenshotstable</code>. This event is fired when the page:</p> <ol> <li>Has not changed within 5s.</li> <li>Looks like the page in its most recent successful test.</li> </ol> <p>We introduced this event as most applications, when loading, either show a loading animation or continuously re-render whilst they load data. It introduces a minor delay to test actions, but we believe the decrease in flakiness makes it worthwhile.</p> <p>Similarly, for a deterministic end-to-end test sequence, the page almost always looks the same between test runs. Hence we can save a screenshot in S3 to track how the page looks like before an action execution, and compare it during the test execution to the previous successful run of the same device/browser/operating system.</p> <p>As always, a timeout needs to be set to avoid this waiting forever when the application has changed, or is not expected to stop rendering. In reflow, these timeouts are automatically configured based on how the page behaved when it was originally recorded or, if it exists, the most recent successful test execution. </p> <h3> Strategy 2: Intelligent Waiting </h3> <p>If an action expects to be on a given page, we can wait until the navigation to that page is complete with <code>page.waitForNavigation</code>. This can be important, as multiple <code>load</code> events may fire during a navigation sequence: hence a <code>page.waitForLoadState</code> will not always be enough.</p> <p>If an action affects a specific element, we can do further action-specific steps. For example;</p> <ol> <li>Wait for the element to be Attached to the DOM.</li> <li>Wait for the element to be Visible.</li> <li>Wait for the element to be Stable, as in not animating or completed animation</li> <li>Wait for the element to be able to receive events</li> <li>If the element is a clickable element, wait for the element to be <em>enabled</em>.</li> <li>If the element is a text-entry element, wait for the element to be <em>editable</em>.</li> </ol> <p>In playwright, these <a href="https://playwright.dev/docs/actionability">pre-action stability statements are automatically applied based on the interaction type</a>.</p> <p>In reflow, stability is further enhanced with:</p> <ol> <li>Waiting for the element to look the same as it did in the last successful run. I.e. continuously take screenshots of the element, and wait until they look the same (or a timeout). </li> <li>Apply a specific timeout to the element based on how long it took for the last DOM attribute update to be applied during the last successful run. E.g. if the button turned green via a <code>class</code> attribute change after 7s, wait at least 7s for the element to get DOM attribute changes, before further timeouts.</li> </ol> <h3> Strategy 3: Pick Good Selectors </h3> <p>When an application changes, the locators used to identify elements often also change. These locators are generally known as <em>selectors</em>.</p> <p>A smart development team will combat this with a strongly consistent element attribute, such as <code>data-test-id</code>. E.g.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nt">button</span> <span class="na">data-test-id</span><span class="p">=</span><span class="si">{</span><span class="s2">`test-actions-</span><span class="p">${</span><span class="nx">testId</span><span class="p">}</span><span class="s2">`</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <p>To click such a button we can use the <code>data-test-id</code> attribute to locate the element.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nx">click</span><span class="p">(</span><span class="s2">`[data-test-id="test-actions-</span><span class="p">${</span><span class="nx">testId</span><span class="p">}</span><span class="s2">"]`</span><span class="p">);</span> </code></pre> </div> <p>Other good options, for scenarios where adding a specific element selector is undesirable, are:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Selector</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>placeholder="..."</code></td> <td>Placeholders are often unique to the element</td> </tr> <tr> <td><code>[aria-label="..."]</code></td> <td>An attribute used by assistive technologies to help identify an element (e.g. for a screen reader)</td> </tr> <tr> <td><code>img[alt="..."]</code></td> <td>An attribute used to denote alternate text for an image, if the image cannot be displayed</td> </tr> <tr> <td><code>role="..."</code></td> <td>A role attribute is used to add semantic meaning to an element for assistive technologies (e.g. screen readers)</td> </tr> <tr> <td><code>input[type="..."</code></td> <td>An input often has a unique/unchanging type that references it for short forms</td> </tr> <tr> <td><code>nodeName</code></td> <td>If an element node type is only used once, the <code>nodeName</code> (e.g. [<code>a</code> ; <code>input</code> ; <code>button</code>]) is often a good choice</td> </tr> <tr> <td><code>#...</code></td> <td>Elements are often assigned unique <code>id</code> attributes to aid in locating them by javascript.</td> </tr> </tbody> </table></div> <p>Reflow will pick up such selectors automatically during test recording, and score them by uniqueness and type. It will also:</p> <ol> <li>Combine parents selectors with their children to reduce ambiguity. E.g. <code>[data-test-id="foo"] &gt;&gt; [data-test-id="bar"]</code>.</li> <li>Calculate all the possible sets of selectors, rank them, and inspect the page for the most likely element based on how close they are to the most recent successful run's element.</li> <li>Compare all page elements made from partial selector matches to a screenshot of the most recent successful run's element, to enable auto-healing the locator when it cannot be found or is ambiguous. We call this a <code>Visual Selector</code> </li> </ol> <h3> Strategy 4: "Wait Until" checkpoints </h3> <p>This strategy relies on writing application-specific logic to be built to ensure the application is in a specific state.</p> <p>For instance, if a page element represents a calculation, and we want to wait for that calculation to be completed before moving on, a developer could write an assertion like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nx">waitForSelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">[aria-label="calculation"] &gt;&gt; text=29.76</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <p>In reflow, such an assertion can be made with as long a timeout as desired. For instance, in most of reflow's internal test suite (powered by itself) it starts by:</p> <ol> <li>Making a new reflow test</li> <li>Navigating to the recording UI of that test</li> <li>Waiting until the recording UI looks like a pre-recorded screenshot, up to 5 minutes.</li> </ol> <p>The <a href="https://reflow.io/readme#visual-assertions">Visual Assertion</a> on step [3] removes the flakiness of both server startup times, and DNS propagation. It doesn't require any code, and works very reliably. When the starting URL has any visual changes, reflow will fail the test and offer an <a href="https://reflow.io/readme#auto-healing">auto-healing</a> option to quickly replace it with the new visual snapshot. </p> <h3> Strategy 5: Zero-dependency Data Seeding </h3> <p>This strategy helps combat the problem "The testing process must generally assume that the system is in a consistent starting state", by breaking out an initial test suite that resets application data.</p> <p>In reflow, this is done by adding a user to a team, accepting the invite, then removing them. After this sequence all the user's end-to-end tests are associated with the team that they just left, and they are in an empty team.</p> <p>In other applications, this might be done via invoking a REST endpoint directly in the test suite to reset application data. E.g. invoking a REST handler that resets the database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">variables</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2">/reset/scenario/empty?token=</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">variables</span><span class="p">.</span><span class="nx">secret</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> </code></pre> </div> <h2> Conclusion: Is there a way to eliminate all flaky tests forever? </h2> <p>No.</p> <p>An engineering team can be smart, and drastically reduce the amount of time spent maintaining end-to-end tests by applying these strategies. However that time will never go to zero whilst an application is being actively developed.</p> <p>Test Automation helps ensure that QA effort is placed on the boundaries of new feature development, rather than endlessly covering existing features on every application change.</p> <p>Commercial low-code automation tools like <a href="https://reflow.io">reflow.io</a> can allow product teams to work more <strong>effectively</strong> by reducing the <em>cost of automation</em>. They are not a magic pill, but can be a very valuable tool for teams where QA and development personnel want to work closer together on test automation, regardless of coding ability.</p> <p>Please sign up if you'd like to try it, have a look at our <a href="https://reflow.io/readme">README</a> to understand its capabilities, or reach out if you'd like a demo.</p> playwright testing tooling webdev Thomas Rooney Fri, 18 Mar 2022 15:00:09 +0000 https://dev.to/aws-builders/get-direct-traffic-to-ecs-fargate-containers-with-letsencrypt-cdk-and-aws-lambda-probably-a-bad-idea-3la7 https://dev.to/aws-builders/get-direct-traffic-to-ecs-fargate-containers-with-letsencrypt-cdk-and-aws-lambda-probably-a-bad-idea-3la7 <p>With a small amount of code, you can expose your running Fargate Tasks to the internet directly on an individual subdomain. For example, <code>${taskid}.eu-west-2.browser.reflow.io</code>.</p> <p>This is almost always a bad idea. However, if you really need to do it, this guide should help.</p> <h2> Why you shouldn't do this </h2> <p>AWS provides multiple battle-tested patterns to operate containerized workloads. These patterns are much easier to configure, less likely to break, and will work for the vast majority of customer use-cases. For example:</p> <ul> <li> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs_patterns.ApplicationLoadBalancedFargateService.html" rel="noopener noreferrer">Application Load Balanced Fargate Service</a>: A Fargate service running on an ECS cluster fronted by an application load balancer. Benefits: <ol> <li>Supports health-checks implicitly, diverting traffic away from unhealthy instances before re-creating them.</li> <li>On a deployment via CodePipeline, managed services monitor the stability of newly provisioned services before gradually moving traffic onto them.</li> <li>Traffic is automatically distributed across different Availability Zones to provide data-center resilience.</li> </ol> </li> <li> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs_patterns.QueueProcessingFargateService.html" rel="noopener noreferrer">Queue Processing Fargate Service</a>: A Fargate service auto-scaled to handle jobs in an SQS Queue. Benefits: <ol> <li>Can automatically retry jobs upon a failure.</li> <li>Will scale up/down based on asynchronous workloads</li> <li>Can handle long-lived jobs. </li> </ol> </li> </ul> <h2> Why we do this </h2> <p>At <a href="https://reflow.io" rel="noopener noreferrer">reflow</a>, we run web browsers to record and execute end-to-end tests on. To record tests, we need to be able to create a websocket with a server to hold transient state.</p> <p>ECS with Fargate is a great choice for this, as it removes the risk and operational overhead of running servers, but without the complexity introduced by Kubernetes. </p> <p>Our first design used the <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs_patterns.ApplicationLoadBalancedFargateService.html" rel="noopener noreferrer">Application Load Balanced Fargate Service</a> pattern, but we ran into the following problems:</p> <ol> <li>We wanted to run untrusted customer code on our servers, which requires both isolating customer workloads from each other, and zero privilege servers. Unfortunately it is non-trivial to do any customer-level physical isolation with ALB-fronted ECS Services.</li> <li>We wanted a multi-region architecture, but the cost of keeping one instance and a NAT Gateway warm in every region is significant to a bootstrapped startup. There didn't appear any way to allow clusters to scale to zero when not in use.</li> <li>We have a feature whereby multiple customers in the same team could share a single browser instance to collaborate on recording tests. However, this didn't work in our cloud instances, because we couldn't guarantee that multiple users in the same team would reach the same server.</li> </ol> <p>Using the following pattern, we have:</p> <ol> <li>Clusters which scale to zero when not in use. This means we don't need to pay a warm-instance fee for going multi-region.</li> <li>All customer workloads physically isolated from each other, and the ability to share transient server state between multiple users in the same team.</li> <li>The ability to bake expected customer ids into the server process's environment variables, simplifying authentication</li> <li>No need to run a NAT Gateway in each availability zone.</li> </ol> <p>With the main negatives:</p> <ol> <li>DNS propagation delays mean that the first time a customer uses a recording instance, they have to wait approximately 1 minute before the server is DNS-available.</li> <li>More moving parts to monitor.</li> </ol> <h2> Logical Components </h2> <ol> <li>LetsEncrypt SSL wildcard certificates, on a relevant domain. E.g. <code>*.eu-west-2.browser.reflow.io</code> </li> <li>An AWS Lambda task to renew the above certificate automatically, and alert us if there are any problems. This is scheduled to run monthly.</li> <li>An AWS Lambda task to automatically create and destroy DNS records for every task registered in our cluster.</li> <li>An ECS Cluster and Task Configuration to run our service on demand, and automatically register a public IP address.</li> <li>Extra application logic to register the task hostnames and get them to the client. We use AppSync/DynamoDB to get these to web-clients; when a server boots it saves to a dynamodb record that a client can read. Finally we bake a <code>TeamId</code> into the server's environment variables, a cognito custom attribute that must be signed within a client JWT for all web requests.</li> </ol> <p>Components [1], [2] and [3] are completely generic, so I'll describe them here. Once configured, any tasks created in the target ECS Cluster will be exposed via DNS. [4], [5] are domain-specific, so are unlikely to be useful or relevant for anyone else, but feel free to reach out if you have questions.</p> <h2> LetsEncrypt SSL Certificates </h2> <h3> CDK </h3> <p>We use CDK to manage all our infrastructure. The following is a Construct we use to manage our LetsEncrypt Lambda function.</p> <p>It creates:</p> <ul> <li>A S3 bucket to hold our certificates in</li> <li>A SNS topic to notify us when our certificates renew</li> <li>A Lambda function to actually renew everything. We have a wrapper <code>ReamplifyLambdaFunction</code> that allows us to pre-compile our code outside of CDK, but this can just as well be a <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_nodejs.NodejsFunction.html" rel="noopener noreferrer">NodeJSFunction</a>.</li> </ul> <p>It references:</p> <ul> <li>The hosted zone where we will place our task instance's DNS records, and the associated <code>domain</code> to suffix our tasks with.</li> <li>A <code>workspace</code> parameter, e.g. <code>dev</code> / <code>prod</code>. This allows us to provision multiple instances of this construct within one AWS account.</li> <li>An email address to send renewal notifications to.</li> <li>The <code>region/account</code> to store everything in </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Duration</span><span class="p">,</span> <span class="nx">RemovalPolicy</span><span class="p">,</span> <span class="nx">StackProps</span><span class="p">,</span> <span class="nx">Tags</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BlockPublicAccess</span><span class="p">,</span> <span class="nx">Bucket</span><span class="p">,</span> <span class="nx">BucketEncryption</span><span class="p">,</span> <span class="nx">ObjectOwnership</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-s3</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Topic</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-sns</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">EmailSubscription</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-sns-subscriptions</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ReamplifyLambdaFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./reamplifyLambdaFunction</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyStatement</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">IHostedZone</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-route53</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Rule</span><span class="p">,</span> <span class="nx">Schedule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-events</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LambdaFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-events-targets</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">CertbotProps</span> <span class="p">{</span> <span class="nl">adminNotificationEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">hostedZone</span><span class="p">:</span> <span class="nx">IHostedZone</span><span class="p">;</span> <span class="nl">domain</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">workspace</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">account</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">Certbot</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">certBucket</span><span class="p">:</span> <span class="nx">Bucket</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span> <span class="o">&amp;</span> <span class="nx">CertbotProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="nx">Tags</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="k">this</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">construct</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Certbot</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">certBucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bucket</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="s2">`certs.</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">region</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">workspace</span><span class="p">}</span><span class="s2">.reflow.io`</span><span class="p">,</span> <span class="na">objectOwnership</span><span class="p">:</span> <span class="nx">ObjectOwnership</span><span class="p">.</span><span class="nx">BUCKET_OWNER_PREFERRED</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">versioned</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">lifecycleRules</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">abortIncompleteMultipartUploadAfter</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">},</span> <span class="p">],</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">BucketEncryption</span><span class="p">.</span><span class="nx">S3_MANAGED</span><span class="p">,</span> <span class="na">enforceSSL</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">blockPublicAccess</span><span class="p">:</span> <span class="nx">BlockPublicAccess</span><span class="p">.</span><span class="nx">BLOCK_ALL</span><span class="p">,</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">certBucket</span> <span class="o">=</span> <span class="nx">certBucket</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">topic</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Topic</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CertAdminTopic</span><span class="dl">'</span><span class="p">);</span> <span class="nx">topic</span><span class="p">.</span><span class="nf">addSubscription</span><span class="p">(</span><span class="k">new</span> <span class="nc">EmailSubscription</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">adminNotificationEmail</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">fn</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ReamplifyLambdaFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">LambdaFn</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">workspace</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">workspace</span><span class="p">,</span> <span class="na">lambdaConfig</span><span class="p">:</span> <span class="dl">'</span><span class="s1">deploy/browserCerts.ts</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">15</span><span class="p">),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">NOTIFY_EMAIL</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">adminNotificationEmail</span><span class="p">,</span> <span class="na">CERTIFICATES</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">([</span> <span class="p">{</span> <span class="na">domains</span><span class="p">:</span> <span class="p">[</span><span class="s2">`*.</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">domain</span><span class="p">}</span><span class="s2">`</span><span class="p">],</span> <span class="na">zoneId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">hostedZone</span><span class="p">.</span><span class="nx">hostedZoneId</span><span class="p">,</span> <span class="na">certStorageBucketName</span><span class="p">:</span> <span class="nx">certBucket</span><span class="p">.</span><span class="nx">bucketName</span><span class="p">,</span> <span class="na">certStoragePrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">browser/</span><span class="dl">'</span><span class="p">,</span> <span class="na">successSnsTopicArn</span><span class="p">:</span> <span class="nx">topic</span><span class="p">.</span><span class="nx">topicArn</span><span class="p">,</span> <span class="na">failureSnsTopicArn</span><span class="p">:</span> <span class="nx">topic</span><span class="p">.</span><span class="nx">topicArn</span><span class="p">,</span> <span class="p">},</span> <span class="p">]),</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">fn</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">route53:ListHostedZones</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="p">})</span> <span class="p">);</span> <span class="nx">fn</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">route53:GetChange</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route53:ChangeResourceRecordSets</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">arn:aws:route53:::change/*</span><span class="dl">'</span><span class="p">].</span><span class="nf">concat</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">hostedZone</span><span class="p">.</span><span class="nx">hostedZoneArn</span><span class="p">),</span> <span class="p">})</span> <span class="p">);</span> <span class="nx">fn</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ssm:GetParameter</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ssm:PutParameter</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="p">})</span> <span class="p">);</span> <span class="nx">certBucket</span><span class="p">.</span><span class="nf">grantWrite</span><span class="p">(</span><span class="nx">fn</span><span class="p">);</span> <span class="nx">topic</span><span class="p">.</span><span class="nf">grantPublish</span><span class="p">(</span><span class="nx">fn</span><span class="p">);</span> <span class="k">new</span> <span class="nc">Rule</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">trigger</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">schedule</span><span class="p">:</span> <span class="nx">Schedule</span><span class="p">.</span><span class="nf">cron</span><span class="p">({</span> <span class="na">minute</span><span class="p">:</span> <span class="dl">'</span><span class="s1">32</span><span class="dl">'</span><span class="p">,</span> <span class="na">hour</span><span class="p">:</span> <span class="dl">'</span><span class="s1">17</span><span class="dl">'</span><span class="p">,</span> <span class="na">day</span><span class="p">:</span> <span class="dl">'</span><span class="s1">3</span><span class="dl">'</span><span class="p">,</span> <span class="na">month</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">,</span> <span class="na">year</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span> <span class="p">}),</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span><span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(</span><span class="nx">fn</span><span class="p">)],</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> AWS Lambda Function </h3> <p>Dependencies:</p> <ul> <li> <code>acme-client</code>: <code>4.2.3</code> </li> </ul> <p>This leans very heavily on <code>acme-client</code> to do all the heavy lifting, with a scattering of logic to:</p> <ul> <li>Maintain SSM parameters to ensure that only one account is managed within LetsEncrypt, rather than creating a new account each time, but ensure that this can be run without any pre-dependencies when spinning up a new environment.</li> <li>Answer the LetsEncrypt challenges with DNS records to prove we own the given domain.</li> <li>Store the resultant certificates in S3.</li> <li>Notify an admin that the certificate has been issued (or not, if there was a failure). </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">AWS</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">acme</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">acme-client</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">route53</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">Route53</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">s3</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">S3</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">sns</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SNS</span><span class="p">();</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">assertEnv</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="dl">'</span><span class="s1">resolved by process.env as</span><span class="dl">'</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span><span class="o">!</span><span class="p">);</span> <span class="k">return</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span><span class="o">!</span><span class="p">;</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`expected environment variable </span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">assertEnvOrSSM</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">shouldThrow</span> <span class="o">=</span> <span class="kc">true</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">workspace</span> <span class="o">=</span> <span class="nf">assertEnv</span><span class="p">(</span><span class="dl">'</span><span class="s1">workspace</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="dl">'</span><span class="s1">resolved by process.env as</span><span class="dl">'</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span><span class="o">!</span><span class="p">);</span> <span class="k">return</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span><span class="o">!</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">SSMLocation</span> <span class="o">=</span> <span class="s2">`/</span><span class="p">${</span><span class="nx">workspace</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="dl">'</span><span class="s1">resolving via SSM at</span><span class="dl">'</span><span class="p">,</span> <span class="nx">SSMLocation</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">SSM</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SSM</span><span class="p">();</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ssmResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">SSM</span><span class="p">.</span><span class="nf">getParameter</span><span class="p">({</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">SSMLocation</span><span class="p">,</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">ssmResponse</span><span class="p">.</span><span class="nx">Parameter</span> <span class="o">||</span> <span class="o">!</span><span class="nx">ssmResponse</span><span class="p">.</span><span class="nx">Parameter</span><span class="p">.</span><span class="nx">Value</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`env </span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2"> missing`</span><span class="p">);</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="dl">'</span><span class="s1">resolved by SSM as</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ssmResponse</span><span class="p">.</span><span class="nx">Parameter</span><span class="p">.</span><span class="nx">Value</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nx">ssmResponse</span><span class="p">.</span><span class="nx">Parameter</span><span class="p">.</span><span class="nx">Value</span><span class="p">;</span> <span class="k">return</span> <span class="nx">ssmResponse</span><span class="p">.</span><span class="nx">Parameter</span><span class="p">.</span><span class="nx">Value</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`SSM.getParameter({Name: </span><span class="p">${</span><span class="nx">SSMLocation</span><span class="p">}</span><span class="s2">}):`</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">shouldThrow</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="nx">e</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="dl">''</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">writeSSM</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">workspace</span> <span class="o">=</span> <span class="nf">assertEnv</span><span class="p">(</span><span class="dl">'</span><span class="s1">workspace</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">SSMLocation</span> <span class="o">=</span> <span class="s2">`/</span><span class="p">${</span><span class="nx">workspace</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="dl">'</span><span class="s1">writing to SSM at</span><span class="dl">'</span><span class="p">,</span> <span class="nx">SSMLocation</span><span class="p">,</span> <span class="dl">'</span><span class="s1">value</span><span class="dl">'</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">SSM</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SSM</span><span class="p">();</span> <span class="k">await</span> <span class="nx">SSM</span><span class="p">.</span><span class="nf">putParameter</span><span class="p">({</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">SSMLocation</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">value</span><span class="p">,</span> <span class="na">Overwrite</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">DataType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">,</span> <span class="na">Tier</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Standard</span><span class="dl">'</span><span class="p">,</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">String</span><span class="dl">'</span><span class="p">,</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">};</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getOrCreateAccountPrivateKey</span><span class="p">()</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">accountKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">assertEnvOrSSM</span><span class="p">(</span><span class="dl">'</span><span class="s1">LETSENCRYPT_ACCOUNT_KEY</span><span class="dl">'</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">accountKey</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">accountKey</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Generating Account Key</span><span class="dl">'</span><span class="p">);</span> <span class="nx">accountKey</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">acme</span><span class="p">.</span><span class="nx">forge</span><span class="p">.</span><span class="nf">createPrivateKey</span><span class="p">()).</span><span class="nf">toString</span><span class="p">();</span> <span class="k">await</span> <span class="nf">writeSSM</span><span class="p">(</span><span class="dl">'</span><span class="s1">LETSENCRYPT_ACCOUNT_KEY</span><span class="dl">'</span><span class="p">,</span> <span class="nx">accountKey</span><span class="p">);</span> <span class="k">return</span> <span class="nx">accountKey</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">maintainerEmail</span> <span class="o">=</span> <span class="nf">assertEnv</span><span class="p">(</span><span class="dl">'</span><span class="s1">NOTIFY_EMAIL</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">accountURL</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">assertEnvOrSSM</span><span class="p">(</span><span class="dl">'</span><span class="s1">LETSENCRYPT_ACCOUNT_URL</span><span class="dl">'</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">certificates</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nf">assertEnv</span><span class="p">(</span><span class="dl">'</span><span class="s1">CERTIFICATES</span><span class="dl">'</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">accountPrivateKey</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getOrCreateAccountPrivateKey</span><span class="p">();</span> <span class="nx">acme</span><span class="p">.</span><span class="nf">setLogger</span><span class="p">(</span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">acme</span><span class="p">.</span><span class="nc">Client</span><span class="p">({</span> <span class="na">directoryUrl</span><span class="p">:</span> <span class="nx">acme</span><span class="p">.</span><span class="nx">directory</span><span class="p">.</span><span class="nx">letsencrypt</span><span class="p">.</span><span class="nx">production</span><span class="p">,</span> <span class="na">accountKey</span><span class="p">:</span> <span class="nx">accountPrivateKey</span><span class="p">,</span> <span class="na">accountUrl</span><span class="p">:</span> <span class="nx">accountURL</span> <span class="p">?</span> <span class="nx">accountURL</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">certificateRuns</span> <span class="o">=</span> <span class="nx">certificates</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">certificate</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">domains</span><span class="p">,</span> <span class="nx">zoneId</span><span class="p">,</span> <span class="nx">certStorageBucketName</span><span class="p">,</span> <span class="nx">certStoragePrefix</span><span class="p">,</span> <span class="nx">successSnsTopicArn</span><span class="p">,</span> <span class="nx">failureSnsTopicArn</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">certificate</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">certificateKey</span><span class="p">,</span> <span class="nx">certificateCsr</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">acme</span><span class="p">.</span><span class="nx">forge</span><span class="p">.</span><span class="nf">createCsr</span><span class="p">({</span> <span class="na">commonName</span><span class="p">:</span> <span class="nx">domains</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="na">altNames</span><span class="p">:</span> <span class="nx">domains</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">certificate</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">auto</span><span class="p">({</span> <span class="na">csr</span><span class="p">:</span> <span class="nx">certificateCsr</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">maintainerEmail</span><span class="p">,</span> <span class="na">termsOfServiceAgreed</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">challengeCreateFn</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">authz</span><span class="p">,</span> <span class="nx">challenge</span><span class="p">,</span> <span class="nx">keyAuthorization</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">authz</span><span class="p">,</span> <span class="nx">challenge</span><span class="p">,</span> <span class="nx">keyAuthorization</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">dnsRecord</span> <span class="o">=</span> <span class="s2">`_acme-challenge.</span><span class="p">${</span><span class="nx">authz</span><span class="p">.</span><span class="nx">identifier</span><span class="p">.</span><span class="nx">value</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">challenge</span><span class="p">.</span><span class="kd">type</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">dns-01</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Only DNS-01 challenges are supported</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">changeReq</span> <span class="o">=</span> <span class="p">{</span> <span class="na">ChangeBatch</span><span class="p">:</span> <span class="p">{</span> <span class="na">Changes</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UPSERT</span><span class="dl">'</span><span class="p">,</span> <span class="na">ResourceRecordSet</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">dnsRecord</span><span class="p">,</span> <span class="na">ResourceRecords</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">"</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">keyAuthorization</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">"</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">TTL</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TXT</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="na">HostedZoneId</span><span class="p">:</span> <span class="nx">zoneId</span><span class="p">,</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Sending create request</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">changeReq</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">route53</span><span class="p">.</span><span class="nf">changeResourceRecordSets</span><span class="p">(</span><span class="nx">changeReq</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">changeId</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">ChangeInfo</span><span class="p">.</span><span class="nx">Id</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Create request sent for </span><span class="p">${</span><span class="nx">dnsRecord</span><span class="p">}</span><span class="s2"> (Change id </span><span class="p">${</span><span class="nx">changeId</span><span class="p">}</span><span class="s2">); waiting for it to complete`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">waitRequest</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nf">waitFor</span><span class="p">(</span><span class="dl">'</span><span class="s1">resourceRecordSetsChanged</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">Id</span><span class="p">:</span> <span class="nx">changeId</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">waitResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">waitRequest</span><span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`Create request complete for </span><span class="p">${</span><span class="nx">dnsRecord</span><span class="p">}</span><span class="s2">: (Change id </span><span class="p">${</span><span class="nx">waitResponse</span><span class="p">.</span><span class="nx">ChangeInfo</span><span class="p">.</span><span class="nx">Id</span><span class="p">}</span><span class="s2">) </span><span class="p">${</span><span class="nx">waitResponse</span><span class="p">.</span><span class="nx">ChangeInfo</span><span class="p">.</span><span class="nx">Status</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">},</span> <span class="na">challengeRemoveFn</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">authz</span><span class="p">,</span> <span class="nx">challenge</span><span class="p">,</span> <span class="nx">keyAuthorization</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">dnsRecord</span> <span class="o">=</span> <span class="s2">`_acme-challenge.</span><span class="p">${</span><span class="nx">authz</span><span class="p">.</span><span class="nx">identifier</span><span class="p">.</span><span class="nx">value</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">deleteReq</span> <span class="o">=</span> <span class="p">{</span> <span class="na">ChangeBatch</span><span class="p">:</span> <span class="p">{</span> <span class="na">Changes</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">,</span> <span class="na">ResourceRecordSet</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">dnsRecord</span><span class="p">,</span> <span class="na">ResourceRecords</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">"</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">keyAuthorization</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">"</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">TTL</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TXT</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="na">HostedZoneId</span><span class="p">:</span> <span class="nx">zoneId</span><span class="p">,</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Sending delete request</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">deleteReq</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">route53</span><span class="p">.</span><span class="nf">changeResourceRecordSets</span><span class="p">(</span><span class="nx">deleteReq</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">changeId</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">ChangeInfo</span><span class="p">.</span><span class="nx">Id</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Delete request sent for </span><span class="p">${</span><span class="nx">dnsRecord</span><span class="p">}</span><span class="s2"> (Change id </span><span class="p">${</span><span class="nx">changeId</span><span class="p">}</span><span class="s2">); waiting for it to complete`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">waitRequest</span> <span class="o">=</span> <span class="nx">route53</span><span class="p">.</span><span class="nf">waitFor</span><span class="p">(</span><span class="dl">'</span><span class="s1">resourceRecordSetsChanged</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">Id</span><span class="p">:</span> <span class="nx">changeId</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">waitResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">waitRequest</span><span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`Delete request complete for </span><span class="p">${</span><span class="nx">dnsRecord</span><span class="p">}</span><span class="s2">: (Change id </span><span class="p">${</span><span class="nx">waitResponse</span><span class="p">.</span><span class="nx">ChangeInfo</span><span class="p">.</span><span class="nx">Id</span><span class="p">}</span><span class="s2">) </span><span class="p">${</span><span class="nx">waitResponse</span><span class="p">.</span><span class="nx">ChangeInfo</span><span class="p">.</span><span class="nx">Status</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">},</span> <span class="na">challengePriority</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">dns-01</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="c1">// Write private key &amp; certificate to S3</span> <span class="kd">const</span> <span class="nx">certKeyWritingPromise</span> <span class="o">=</span> <span class="nx">s3</span> <span class="p">.</span><span class="nf">putObject</span><span class="p">({</span> <span class="na">Body</span><span class="p">:</span> <span class="nx">certificateKey</span><span class="p">.</span><span class="nf">toString</span><span class="p">(),</span> <span class="na">Bucket</span><span class="p">:</span> <span class="nx">certStorageBucketName</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="nx">certStoragePrefix</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">key.pem</span><span class="dl">'</span><span class="p">,</span> <span class="na">ServerSideEncryption</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AES256</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">certChainWritingPromise</span> <span class="o">=</span> <span class="nx">s3</span> <span class="p">.</span><span class="nf">putObject</span><span class="p">({</span> <span class="na">Body</span><span class="p">:</span> <span class="nx">certificate</span><span class="p">,</span> <span class="na">Bucket</span><span class="p">:</span> <span class="nx">certStorageBucketName</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="nx">certStoragePrefix</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">cert.pem</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">([</span><span class="nx">certKeyWritingPromise</span><span class="p">,</span> <span class="nx">certChainWritingPromise</span><span class="p">]);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Completed with certificate for </span><span class="dl">'</span><span class="p">,</span> <span class="nx">domains</span><span class="p">);</span> <span class="c1">// after client.auto, an account should be available</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">accountURL</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">writeSSM</span><span class="p">(</span><span class="dl">'</span><span class="s1">LETSENCRYPT_ACCOUNT_URL</span><span class="dl">'</span><span class="p">,</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getAccountUrl</span><span class="p">());</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">successSnsTopicArn</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">sns</span> <span class="p">.</span><span class="nf">publish</span><span class="p">({</span> <span class="na">TopicArn</span><span class="p">:</span> <span class="nx">successSnsTopicArn</span><span class="p">,</span> <span class="na">Message</span><span class="p">:</span> <span class="s2">`Certificate for </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">domains</span><span class="p">)}</span><span class="s2"> issued`</span><span class="p">,</span> <span class="na">Subject</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Certificate Issue Success</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error </span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">failureSnsTopicArn</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">sns</span> <span class="p">.</span><span class="nf">publish</span><span class="p">({</span> <span class="na">TopicArn</span><span class="p">:</span> <span class="nx">failureSnsTopicArn</span><span class="p">,</span> <span class="na">Message</span><span class="p">:</span> <span class="s2">`Certificate for </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">domains</span><span class="p">)}</span><span class="s2"> issue failure\n</span><span class="p">${</span><span class="nx">err</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">Subject</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Certificate Issue Failure</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="nx">certificateRuns</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h2> Automatic DNS Records </h2> <h3> CDK </h3> <p>This references:</p> <ul> <li>A <code>clusterArn</code> to collect ECS EventStream events for any task state changes in the cluster</li> <li>The <code>serviceDiscoveryTLD</code> (in our case <code>browser.${props.env.region}.reflow.io</code>) to suffix DNS records</li> <li>The route 53 hosted zone to create records in </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Rule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-events</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LambdaFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-events-targets</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PolicyStatement</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// ...</span> <span class="kd">const</span> <span class="nx">eventRule</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Rule</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ECSChangeRule</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">eventPattern</span><span class="p">:</span> <span class="p">{</span> <span class="na">source</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">aws.ecs</span><span class="dl">'</span><span class="p">],</span> <span class="na">detailType</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ECS Task State Change</span><span class="dl">'</span><span class="p">],</span> <span class="na">detail</span><span class="p">:</span> <span class="p">{</span> <span class="na">clusterArn</span><span class="p">:</span> <span class="p">[</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">clusterArn</span><span class="p">],</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">ecsChangeFn</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ReamplifyLambdaFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ECSStreamLambda</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">props</span><span class="p">,</span> <span class="na">lambdaConfig</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stream/ecsChangeStream.ts</span><span class="dl">'</span><span class="p">,</span> <span class="na">unreservedConcurrency</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">memorySize</span><span class="p">:</span> <span class="mi">128</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">DOMAIN_PREFIX</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">serviceDiscoveryTLD</span><span class="p">,</span> <span class="na">HOSTED_ZONE_ID</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">hostedZone</span><span class="p">.</span><span class="nx">hostedZoneId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">eventRule</span><span class="p">.</span><span class="nf">addTarget</span><span class="p">(</span><span class="k">new</span> <span class="nc">LambdaFunction</span><span class="p">(</span><span class="nx">ecsChangeFn</span><span class="p">));</span> <span class="nx">ecsChangeFn</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">route53:GetChange</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route53:ChangeResourceRecordSets</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route53:ListResourceRecordSets</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">arn:aws:route53:::change/*</span><span class="dl">'</span><span class="p">].</span><span class="nf">concat</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">hostedZone</span><span class="p">.</span><span class="nx">hostedZoneArn</span><span class="p">),</span> <span class="p">})</span> <span class="p">);</span> <span class="nx">ecsChangeFn</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ec2:DescribeNetworkInterfaces</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">],</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <h3> AWS Lambda </h3> <p>This function:</p> <ul> <li>Does some sanity checks on if the event should affect DNS records</li> <li>If the task both currently <code>RUNNING</code> and desired <code>RUNNING</code>: <ul> <li>Looks up the public IP of the task.</li> <li>Upserts an <code>A</code> record pointing at the tasks public IP, on <code>${taskId}.${DOMAIN_PREFIX}</code> </li> </ul> </li> <li>Else: <ul> <li>Deletes the <code>A</code> record associated with the task. </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">EventBridgeHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-lambda</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">AWS</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Task</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-sdk/clients/ecs</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">assertEnv</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">env</span><span class="dl">'</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="dl">'</span><span class="s1">resolved by process.env as</span><span class="dl">'</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span><span class="o">!</span><span class="p">);</span> <span class="k">return</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span><span class="o">!</span><span class="p">;</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`expected environment variable </span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">ec2</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">EC2</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">route53</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">Route53</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">DOMAIN_PREFIX</span> <span class="o">=</span> <span class="nf">assertEnv</span><span class="p">(</span><span class="dl">'</span><span class="s1">DOMAIN_PREFIX</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">HOSTED_ZONE_ID</span> <span class="o">=</span> <span class="nf">assertEnv</span><span class="p">(</span><span class="dl">'</span><span class="s1">HOSTED_ZONE_ID</span><span class="dl">'</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">EventBridgeHandler</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">Task</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">event</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">event</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">task</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">detail</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">clusterArn</span> <span class="o">=</span> <span class="nx">task</span><span class="p">.</span><span class="nx">clusterArn</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">lastStatus</span> <span class="o">=</span> <span class="nx">task</span><span class="p">.</span><span class="nx">lastStatus</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">desiredStatus</span> <span class="o">=</span> <span class="nx">task</span><span class="p">.</span><span class="nx">desiredStatus</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">clusterArn</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">lastStatus</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">desiredStatus</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">taskArn</span> <span class="o">=</span> <span class="nx">task</span><span class="p">.</span><span class="nx">taskArn</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">taskArn</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">taskId</span> <span class="o">=</span> <span class="nx">taskArn</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">).</span><span class="nf">pop</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">taskId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">clusterName</span> <span class="o">=</span> <span class="nx">clusterArn</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">:cluster/</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">clusterName</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">containerDomain</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">taskId</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">DOMAIN_PREFIX</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">lastStatus</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">RUNNING</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">desiredStatus</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">RUNNING</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">eniId</span> <span class="o">=</span> <span class="nf">getEniId</span><span class="p">(</span><span class="nx">task</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">eniId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">taskPublicIp</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchEniPublicIp</span><span class="p">(</span><span class="nx">eniId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">taskPublicIp</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">recordSet</span> <span class="o">=</span> <span class="nf">createRecordSet</span><span class="p">(</span><span class="nx">containerDomain</span><span class="p">,</span> <span class="nx">taskPublicIp</span><span class="p">);</span> <span class="k">await</span> <span class="nf">updateDnsRecord</span><span class="p">(</span><span class="nx">clusterName</span><span class="p">,</span> <span class="nx">HOSTED_ZONE_ID</span><span class="p">,</span> <span class="nx">recordSet</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`DNS record update finished for </span><span class="p">${</span><span class="nx">taskId</span><span class="p">}</span><span class="s2"> (</span><span class="p">${</span><span class="nx">taskPublicIp</span><span class="p">}</span><span class="s2">)`</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">recordSet</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">route53</span> <span class="p">.</span><span class="nf">listResourceRecordSets</span><span class="p">({</span> <span class="na">HostedZoneId</span><span class="p">:</span> <span class="nx">HOSTED_ZONE_ID</span><span class="p">,</span> <span class="na">StartRecordName</span><span class="p">:</span> <span class="nx">containerDomain</span><span class="p">,</span> <span class="na">StartRecordType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">listRecordSets</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">recordSet</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">found</span> <span class="o">=</span> <span class="nx">recordSet</span><span class="p">.</span><span class="nx">ResourceRecordSets</span><span class="p">.</span><span class="nf">find</span><span class="p">((</span><span class="nx">record</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">Name</span> <span class="o">===</span> <span class="nx">containerDomain</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">found</span> <span class="o">&amp;&amp;</span> <span class="nx">found</span><span class="p">.</span><span class="nx">ResourceRecords</span><span class="p">?.[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Value</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">route53</span> <span class="p">.</span><span class="nf">changeResourceRecordSets</span><span class="p">({</span> <span class="na">HostedZoneId</span><span class="p">:</span> <span class="nx">HOSTED_ZONE_ID</span><span class="p">,</span> <span class="na">ChangeBatch</span><span class="p">:</span> <span class="p">{</span> <span class="na">Changes</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">,</span> <span class="na">ResourceRecordSet</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">containerDomain</span><span class="p">,</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">ResourceRecords</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">found</span><span class="p">.</span><span class="nx">ResourceRecords</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Value</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">TTL</span><span class="p">:</span> <span class="nx">found</span><span class="p">.</span><span class="nx">TTL</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">getEniId</span><span class="p">(</span><span class="nx">task</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">eniAttachment</span> <span class="o">=</span> <span class="nx">task</span><span class="p">.</span><span class="nx">attachments</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nf">function </span><span class="p">(</span><span class="nx">attachment</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">attachment</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">eni</span><span class="dl">'</span><span class="p">;</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">eniAttachment</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">networkInterfaceIdDetail</span> <span class="o">=</span> <span class="nx">eniAttachment</span><span class="p">.</span><span class="nx">details</span><span class="p">.</span><span class="nf">find</span><span class="p">((</span><span class="nx">detail</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">detail</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">networkInterfaceId</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">networkInterfaceIdDetail</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">networkInterfaceIdDetail</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchEniPublicIp</span><span class="p">(</span><span class="nx">eniId</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ec2</span> <span class="p">.</span><span class="nf">describeNetworkInterfaces</span><span class="p">({</span> <span class="na">NetworkInterfaceIds</span><span class="p">:</span> <span class="p">[</span><span class="nx">eniId</span><span class="p">],</span> <span class="p">})</span> <span class="p">.</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="k">return</span> <span class="nx">data</span><span class="p">.</span><span class="nx">NetworkInterfaces</span><span class="p">?.[</span><span class="mi">0</span><span class="p">].</span><span class="nx">PrivateIpAddresses</span><span class="p">?.[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Association</span><span class="p">?.</span><span class="nx">PublicIp</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">createRecordSet</span><span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">publicIp</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UPSERT</span><span class="dl">'</span><span class="p">,</span> <span class="na">ResourceRecordSet</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">domain</span><span class="p">,</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">TTL</span><span class="p">:</span> <span class="mi">60</span><span class="p">,</span> <span class="na">ResourceRecords</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">publicIp</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">updateDnsRecord</span><span class="p">(</span><span class="nx">clusterName</span><span class="p">,</span> <span class="nx">hostedZoneId</span><span class="p">,</span> <span class="nx">changeRecordSet</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">param</span> <span class="o">=</span> <span class="p">{</span> <span class="na">ChangeBatch</span><span class="p">:</span> <span class="p">{</span> <span class="na">Comment</span><span class="p">:</span> <span class="s2">`Auto generated Record for ECS Fargate cluster </span><span class="p">${</span><span class="nx">clusterName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">Changes</span><span class="p">:</span> <span class="p">[</span><span class="nx">changeRecordSet</span><span class="p">],</span> <span class="p">},</span> <span class="na">HostedZoneId</span><span class="p">:</span> <span class="nx">hostedZoneId</span><span class="p">,</span> <span class="p">};</span> <span class="k">await</span> <span class="nx">route53</span><span class="p">.</span><span class="nf">changeResourceRecordSets</span><span class="p">(</span><span class="nx">param</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> Running this in Production </h2> <p>This has been in production for two months now, and whilst it's not perfect, it's working well for us.</p> <p>Things we unnecessarily worried about:</p> <ul> <li>We were worried that DNS Records would accumulate as some error conditions would result in them not being removed. Many thousands DNS records created later, we haven't seen this as an issue.</li> <li>We were worried about Route53 throttling our DNS change requests. Whilst we've seen this happen a few times, our lambdas do automatically retry and it eventually gets through.</li> </ul> <p>Negatives: </p> <ul> <li>We have seen some flakiness in our E2E tests where sometimes a browser will not use the new DNS records until a refresh, even when waiting beyond the TTL. We had to automate around this.</li> <li>Server orchestration logic is a lot more complex when you are managing individual ECS Tasks. </li> </ul> aws devops typescript serverless