DEV Community: Wesley Cheek The latest articles on DEV Community by Wesley Cheek (@wesleycheek). https://dev.to/wesleycheek https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F830852%2Fdeebcd5c-52af-463c-8147-867598e5b33c.jpeg DEV Community: Wesley Cheek https://dev.to/wesleycheek en Deploy a Cognito Secured WebSocket API with AWS CDK Wesley Cheek Fri, 08 Mar 2024 07:12:09 +0000 https://dev.to/wesleycheek/deploy-a-cognito-secured-websocket-api-with-aws-cdk-jei https://dev.to/wesleycheek/deploy-a-cognito-secured-websocket-api-with-aws-cdk-jei <p><a href="https://aws.amazon.com/api-gateway/">API Gateway</a> is great for knitting together serverless application, but have you ever wanted a little more? WebSocket APIs offer many benefits by allowing active two-way communication between your clients and backend. Consider a WebSocket API when building real-time apps.</p> <p>This post will show you how to deploy a WebSocket API that is secured using <a href="https://aws.amazon.com/cognito/">AWS Cognito</a>. Clients can connect to the WebSocket by using the <code>idToken</code> retrieved from <code>Cognito</code> after a successful login. This post is heavily inspired by <a href="https://github.com/aws-samples/websocket-api-cognito-auth-sample/blob/main/README_en.md#implementation">this AWS sample</a> and <a href="https://dev.to/aws-builders/building-websocket-apis-with-aws-api-gateway-and-cdk-1i27">this dev.to article</a>. I have simplified the code and refactored it a bit for my own purposes and understanding.</p> <p>Let's start by creating our Auth backend. We create a <code>Cognito UserPool</code> and a <code>Cognito UserPool Client</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">aws_cognito</span> <span class="k">as</span> <span class="nx">cognito</span><span class="p">,</span> <span class="nx">RemovalPolicy</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">constructs</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">Auth</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="nl">userPool</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPool</span><span class="p">;</span> <span class="nl">userPoolClient</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPoolClient</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPool</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">_userPool</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">userPoolClient</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">_userPoolClient</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">userPool</span><span class="p">);</span> <span class="p">}</span> <span class="nf">_userPool</span><span class="p">():</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPool</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">userPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">UserPool</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">userPool</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">userPool</span><span class="p">;</span> <span class="p">}</span> <span class="nf">_userPoolClient</span><span class="p">(</span><span class="nx">userPool</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPool</span><span class="p">):</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPoolClient</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">userPoolClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">UserPoolClient</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">userPoolClient</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">userPool</span><span class="p">:</span> <span class="nx">userPool</span><span class="p">,</span> <span class="na">authFlows</span><span class="p">:</span> <span class="p">{</span> <span class="na">userSrp</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">userPassword</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">userPoolClient</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now let's use these to associate the WebSocket <code>$connect</code> route with a <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-lambda-auth.html"><code>Custom Authorizer Lambda</code></a>. Follow along with the comments<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">aws_cognito</span> <span class="k">as</span> <span class="nx">cognito</span><span class="p">,</span> <span class="nx">aws_apigatewayv2</span> <span class="k">as</span> <span class="nx">apigatewayv2</span><span class="p">,</span> <span class="nx">aws_apigatewayv2_integrations</span> <span class="k">as</span> <span class="nx">apigatewayv2_integrations</span><span class="p">,</span> <span class="nx">aws_apigatewayv2_authorizers</span> <span class="k">as</span> <span class="nx">apigatewayv2_auth</span><span class="p">,</span> <span class="nx">aws_lambda_nodejs</span> <span class="k">as</span> <span class="nx">lambdaNode</span><span class="p">,</span> <span class="nx">aws_lambda</span> <span class="k">as</span> <span class="nx">lambda</span><span class="p">,</span> <span class="nx">aws_dynamodb</span> <span class="k">as</span> <span class="nx">dynamo</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RemovalPolicy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-cdk-lib</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">constructs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">path</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">API</span> <span class="kd">extends</span> <span class="nc">Construct</span> <span class="p">{</span> <span class="nl">apiv2</span><span class="p">:</span> <span class="nx">apigatewayv2</span><span class="p">.</span><span class="nx">HttpApi</span><span class="p">;</span> <span class="nl">websocket</span><span class="p">:</span> <span class="nx">apigatewayv2</span><span class="p">.</span><span class="nx">WebSocketApi</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span> <span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="c1">// We get these from our `Auth` construct above</span> <span class="nx">userPool</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPool</span><span class="p">,</span> <span class="nx">userPoolClient</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPoolClient</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">websocket</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">_webSocket</span><span class="p">(</span><span class="nx">userPool</span><span class="p">,</span> <span class="nx">userPoolClient</span><span class="p">);</span> <span class="nf">_webSocket</span><span class="p">(</span> <span class="nx">userPool</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPool</span><span class="p">,</span> <span class="nx">userPoolClient</span><span class="p">:</span> <span class="nx">cognito</span><span class="p">.</span><span class="nx">UserPoolClient</span><span class="p">,</span> <span class="p">):</span> <span class="nx">apigatewayv2</span><span class="p">.</span><span class="nx">WebSocketApi</span> <span class="p">{</span> <span class="c1">// This DynamoDB table will be used to save the `connectionId` when </span> <span class="c1">// clients connect.</span> <span class="kd">const</span> <span class="nx">connectionIdTable</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">dynamo</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ConnectionIdTable</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">connectionId</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">dynamo</span><span class="p">.</span><span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="na">timeToLiveAttribute</span><span class="p">:</span> <span class="dl">"</span><span class="s2">removedAt</span><span class="dl">"</span><span class="p">,</span> <span class="na">billingMode</span><span class="p">:</span> <span class="nx">dynamo</span><span class="p">.</span><span class="nx">BillingMode</span><span class="p">.</span><span class="nx">PAY_PER_REQUEST</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// The `userId` is used to uniquely ID the connected user associated </span> <span class="c1">// with the `Cognito UserPool`. We'll use this to clean-up the </span> <span class="c1">// database upon client `disconnect`</span> <span class="nx">connectionIdTable</span><span class="p">.</span><span class="nf">addGlobalSecondaryIndex</span><span class="p">({</span> <span class="na">partitionKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">userId</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">dynamo</span><span class="p">.</span><span class="nx">AttributeType</span><span class="p">.</span><span class="nx">STRING</span> <span class="p">},</span> <span class="na">indexName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">userIdIndex</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// This lambda function will be used to authorize the connection. </span> <span class="c1">// Upon successful connection, it will save user information into </span> <span class="c1">// the DynamoDB table</span> <span class="kd">const</span> <span class="nx">authHandler</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambdaNode</span><span class="p">.</span><span class="nc">NodejsFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">AuthHandler</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_18_X</span><span class="p">,</span> <span class="na">entry</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">"</span><span class="s2">../lambdas/websocket/authorizer/index.ts</span><span class="dl">"</span><span class="p">),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">USER_POOL_ID</span><span class="p">:</span> <span class="nx">userPool</span><span class="p">.</span><span class="nx">userPoolId</span><span class="p">,</span> <span class="na">APP_CLIENT_ID</span><span class="p">:</span> <span class="nx">userPoolClient</span><span class="p">.</span><span class="nx">userPoolClientId</span><span class="p">,</span> <span class="na">CONNECTION_TABLE_NAME</span><span class="p">:</span> <span class="nx">connectionIdTable</span><span class="p">.</span><span class="nx">tableName</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// This lambda function will handle all routes (in our simple example)</span> <span class="kd">const</span> <span class="nx">websocketHandler</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambdaNode</span><span class="p">.</span><span class="nc">NodejsFunction</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">WebSocketHandler</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_18_X</span><span class="p">,</span> <span class="na">entry</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">"</span><span class="s2">../lambdas/websocket/handler/index.ts</span><span class="dl">"</span><span class="p">),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">CONNECTION_TABLE_NAME</span><span class="p">:</span> <span class="nx">connectionIdTable</span><span class="p">.</span><span class="nx">tableName</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">);</span> <span class="nx">connectionIdTable</span><span class="p">.</span><span class="nf">grantReadWriteData</span><span class="p">(</span><span class="nx">websocketHandler</span><span class="p">);</span> <span class="nx">connectionIdTable</span><span class="p">.</span><span class="nf">grantReadWriteData</span><span class="p">(</span><span class="nx">authHandler</span><span class="p">);</span> <span class="c1">// Create the authorizer. The `identitySource` is the information we </span> <span class="c1">// need to supply when connecting to the API. `authHandler` will </span> <span class="c1">// use the `idToken` to verify the user.</span> <span class="kd">const</span> <span class="nx">authorizer</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">apigatewayv2_auth</span><span class="p">.</span><span class="nc">WebSocketLambdaAuthorizer</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Authorizer</span><span class="dl">"</span><span class="p">,</span> <span class="nx">authHandler</span><span class="p">,</span> <span class="p">{</span> <span class="na">identitySource</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">route.request.querystring.idToken</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">);</span> <span class="c1">// Now create our WebSocket.</span> <span class="kd">let</span> <span class="nx">apiv2Websocket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">apigatewayv2</span><span class="p">.</span><span class="nc">WebSocketApi</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">knowledgeBaseWebSocket</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Used by your serverless app to integrate services</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// On the `$connect` route, specify our authorizer. When connecting, </span> <span class="c1">// traffic will go through the authorizer before being routed </span> <span class="c1">// to the `websocketHandler` integration.</span> <span class="na">connectRouteOptions</span><span class="p">:</span> <span class="p">{</span> <span class="nx">authorizer</span><span class="p">,</span> <span class="na">integration</span><span class="p">:</span> <span class="k">new</span> <span class="nx">apigatewayv2_integrations</span><span class="p">.</span><span class="nc">WebSocketLambdaIntegration</span><span class="p">(</span> <span class="dl">"</span><span class="s2">ConnectIntegration</span><span class="dl">"</span><span class="p">,</span> <span class="nx">websocketHandler</span><span class="p">,</span> <span class="p">),</span> <span class="p">},</span> <span class="na">disconnectRouteOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">integration</span><span class="p">:</span> <span class="k">new</span> <span class="nx">apigatewayv2_integrations</span><span class="p">.</span><span class="nc">WebSocketLambdaIntegration</span><span class="p">(</span> <span class="dl">"</span><span class="s2">DisconnectIntegration</span><span class="dl">"</span><span class="p">,</span> <span class="nx">websocketHandler</span><span class="p">,</span> <span class="p">),</span> <span class="p">},</span> <span class="c1">// For this sample example, route all traffic through the `websocketHandler`</span> <span class="na">defaultRouteOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">integration</span><span class="p">:</span> <span class="k">new</span> <span class="nx">apigatewayv2_integrations</span><span class="p">.</span><span class="nc">WebSocketLambdaIntegration</span><span class="p">(</span> <span class="dl">"</span><span class="s2">DefaultIntegration</span><span class="dl">"</span><span class="p">,</span> <span class="nx">websocketHandler</span><span class="p">,</span> <span class="p">),</span> <span class="p">},</span> <span class="p">},</span> <span class="p">);</span> <span class="c1">// You need to manually add the stage.</span> <span class="k">new</span> <span class="nx">apigatewayv2</span><span class="p">.</span><span class="nc">WebSocketStage</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">dev</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">webSocketApi</span><span class="p">:</span> <span class="nx">apiv2Websocket</span><span class="p">,</span> <span class="na">stageName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">dev</span><span class="dl">"</span><span class="p">,</span> <span class="na">autoDeploy</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Be sure to grant the `websocketHandler` permission to manage </span> <span class="c1">// the WebSocket connection.</span> <span class="nx">apiv2Websocket</span><span class="p">.</span><span class="nf">grantManageConnections</span><span class="p">(</span><span class="nx">websocketHandler</span><span class="p">);</span> <span class="k">return</span> <span class="nx">apiv2Websocket</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>OKAY! Now what about the <code>authHandler</code> and <code>websocketHandler</code> functions?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// `authHandler`</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">APIGatewayRequestAuthorizerHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-lambda</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoJwtVerifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-jwt-verify</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoDBClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoDBDocumentClient</span><span class="p">,</span> <span class="nx">PutCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/lib-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoIdTokenPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-jwt-verify/jwt-model</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">UserPoolId</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">USER_POOL_ID</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">AppClientId</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_CLIENT_ID</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">DynamoDBDocumentClient</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="k">new</span> <span class="nc">DynamoDBClient</span><span class="p">({}));</span> <span class="kd">const</span> <span class="nx">ConnectionTableName</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CONNECTION_TABLE_NAME</span><span class="o">!</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">APIGatewayRequestAuthorizerHandler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">_context</span><span class="p">,</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// We will use the CognitoJwtVerifier to verify that the `idToken` </span> <span class="c1">// supplied by the client is indeed associated with our `UserPool`</span> <span class="kd">const</span> <span class="nx">verifier</span> <span class="o">=</span> <span class="nx">CognitoJwtVerifier</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">userPoolId</span><span class="p">:</span> <span class="nx">UserPoolId</span><span class="p">,</span> <span class="na">tokenUse</span><span class="p">:</span> <span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">AppClientId</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">connectionId</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">connectionId</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">encodedToken</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">queryStringParameters</span><span class="o">!</span><span class="p">.</span><span class="nx">idToken</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">verifier</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">encodedToken</span><span class="p">);</span> <span class="c1">// Successfully Authenticated!</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Token is valid. Payload:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">payload</span><span class="p">);</span> <span class="c1">// Save the session information to the DynamoDB table</span> <span class="k">await</span> <span class="nf">saveSession</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">connectionId</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">User information saved to database!</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Now return a policy which allows the client to connect!</span> <span class="k">return</span> <span class="nf">allowPolicy</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">methodArn</span><span class="p">,</span> <span class="nx">payload</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="na">error</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="k">return</span> <span class="nf">denyAllPolicy</span><span class="p">();</span> <span class="p">}</span> <span class="p">};</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">saveSession</span><span class="p">(</span> <span class="nx">payload</span><span class="p">:</span> <span class="nx">CognitoIdTokenPayload</span><span class="p">,</span> <span class="nx">connectionId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PutCommand</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="nx">ConnectionTableName</span><span class="p">,</span> <span class="na">Item</span><span class="p">:</span> <span class="p">{</span> <span class="na">userName</span><span class="p">:</span> <span class="nx">payload</span><span class="p">[</span><span class="dl">"</span><span class="s2">cognito:username</span><span class="dl">"</span><span class="p">]</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="na">userGroups</span><span class="p">:</span> <span class="nx">payload</span><span class="p">[</span><span class="dl">"</span><span class="s2">cognito:groups</span><span class="dl">"</span><span class="p">]</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="na">userEmail</span><span class="p">:</span> <span class="nx">payload</span><span class="p">[</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">]</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">connectionId</span><span class="p">:</span> <span class="nx">connectionId</span><span class="p">,</span> <span class="na">removedAt</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">ceil</span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">)</span> <span class="o">+</span> <span class="mi">3600</span> <span class="o">*</span> <span class="mi">3</span><span class="p">,</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">allowPolicy</span><span class="p">(</span><span class="nx">methodArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">idToken</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">principalId</span><span class="p">:</span> <span class="nx">idToken</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">policyDocument</span><span class="p">:</span> <span class="p">{</span> <span class="na">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="na">Statement</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">execute-api:Invoke</span><span class="dl">"</span><span class="p">,</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="na">Resource</span><span class="p">:</span> <span class="nx">methodArn</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="na">context</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// set userId in the context</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">idToken</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">denyAllPolicy</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">principalId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="na">policyDocument</span><span class="p">:</span> <span class="p">{</span> <span class="na">Version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="na">Statement</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="na">Effect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Deny</span><span class="dl">"</span><span class="p">,</span> <span class="na">Resource</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Once the client is authenticated, the connection request is routed to the <code>websocketHandler</code> function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// `websocketHandler`</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">APIGatewayProxyHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">aws-lambda</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoDBClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DeleteCommand</span><span class="p">,</span> <span class="nx">DynamoDBDocumentClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/lib-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ApiGatewayManagementApiClient</span><span class="p">,</span> <span class="nx">PostToConnectionCommand</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-apigatewaymanagementapi</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">DynamoDBDocumentClient</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="k">new</span> <span class="nc">DynamoDBClient</span><span class="p">({}));</span> <span class="kd">const</span> <span class="nx">ConnectionTableName</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CONNECTION_TABLE_NAME</span><span class="o">!</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span><span class="p">:</span> <span class="nx">APIGatewayProxyHandler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">_context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">routeKey</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">routeKey</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">connectionId</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">connectionId</span><span class="o">!</span><span class="p">;</span> <span class="c1">// If the route is `$connect` go ahead and connect</span> <span class="k">if </span><span class="p">(</span><span class="nx">routeKey</span> <span class="o">==</span> <span class="dl">"</span><span class="s2">$connect</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Connected.</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// If `$disconnect`</span> <span class="k">if </span><span class="p">(</span><span class="nx">routeKey</span> <span class="o">==</span> <span class="dl">"</span><span class="s2">$disconnect</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// This function will delete the connection information from the </span> <span class="c1">// DynamoDB table when you disconnect.</span> <span class="k">await</span> <span class="nf">removeConnectionId</span><span class="p">(</span><span class="nx">connectionId</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Disconnected.</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Disconnection failed.</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// Default route for any other requests</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Just echo back messages in other route than connect, disconnect </span> <span class="c1">// (for testing purpose)</span> <span class="kd">const</span> <span class="nx">domainName</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">domainName</span><span class="o">!</span><span class="p">;</span> <span class="c1">// When we use a custom domain, we don't need to append a stage name</span> <span class="kd">const</span> <span class="nx">endpoint</span> <span class="o">=</span> <span class="nx">domainName</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">amazonaws.com</span><span class="dl">"</span><span class="p">)</span> <span class="p">?</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">domainName</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">stage</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="s2">`https://</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">domainName</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Now let's send a message from the WebSocket back to the client!</span> <span class="kd">const</span> <span class="nx">managementApi</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApiGatewayManagementApiClient</span><span class="p">({</span> <span class="nx">endpoint</span><span class="p">,</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// This is where the message gets sent back to client. This example </span> <span class="c1">// just echos the event body. So if we connect and just send RAW text, </span> <span class="c1">// the WebSocket will send back the same RAW text.</span> <span class="k">await</span> <span class="nx">managementApi</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PostToConnectionCommand</span><span class="p">({</span> <span class="na">ConnectionId</span><span class="p">:</span> <span class="nx">connectionId</span><span class="p">,</span> <span class="na">Data</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="p">}),</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">}),</span> <span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="na">e</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">statusCode</span> <span class="o">==</span> <span class="mi">410</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">removeConnectionId</span><span class="p">(</span><span class="nx">connectionId</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">e</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">e</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Received.</span><span class="dl">"</span> <span class="p">};</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">removeConnectionId</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">connectionId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="k">new</span> <span class="nc">DeleteCommand</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="nx">ConnectionTableName</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="p">{</span> <span class="nx">connectionId</span><span class="p">,</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>Hope somebody found this useful! In the end probably using the already established IAM authorizer is more simple, but if you are looking to use your <code>Cognito</code> login credentials, then this example should help!</p> aws cdk apigateway websocket Cheap & Easy AWS FTP Server with EC2 and S3 Wesley Cheek Wed, 20 Dec 2023 00:18:10 +0000 https://dev.to/wesleycheek/cheap-easy-aws-ftp-server-with-ec2-and-s3-33ga https://dev.to/wesleycheek/cheap-easy-aws-ftp-server-with-ec2-and-s3-33ga <p>The github repository for this project is <a href="https://github.com/wcheek/Easy-AWS-CDK-FTP-Server/tree/main" rel="noopener noreferrer">here!</a>.</p> <h2> Introduction </h2> <p>Using <code>AWS CDK</code> we can quickly deploy a small <code>EC2 Instance</code> to act as an FTP Server with an unlimited S3 storage backend.</p> <p>With an hourly rate of only <code>$0.0058</code> (us-east-1), <code>t2-nano</code> is sufficient for running a small FTP server with the S3 integration!</p> <p>The server is configured on deploy using <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html" rel="noopener noreferrer">EC2 UserData</a>. <a href="https://aws.amazon.com/s3/features/mountpoint/" rel="noopener noreferrer"><code>mount-s3</code></a> is used for mounting an S3 bucket to your instance. We start up <a href="https://help.ubuntu.com/community/vsftpd" rel="noopener noreferrer"><code>VSFTPD</code></a>, <a href="https://docs.rockylinux.org/guides/file_sharing/secure_ftp_server_vsftpd/" rel="noopener noreferrer">set up a virtual user</a> in the same directory as our mounted S3 bucket, and we have our end-to-end FTP solution!</p> <h2> Architecture </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjo68n0yhod0cv51js1z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjo68n0yhod0cv51js1z.png" alt="architecture"></a></p> <ol> <li>A user connects to the instance with the instance's Public IP or DNS.</li> <li>The user agrees to use the server's TLS certificate.</li> <li>A secure FTPS connection is made and the user can freely work with the files on the S3 bucket.</li> </ol> <h3> CDK Structure </h3> <p>You'll find the code for the stack in <code>lib/ftp-server-stack.ts</code>. It uses four<br> custom <code>Constructs</code>:</p> <ol> <li> <code>VPCStuff</code> creates a simple <code>VPC</code> with no <code>NAT Gateways</code> since they aren't necessary and we want to save on cost (<code>NAT Gateways</code> are expensive!)</li> <li> <code>StorageStuff</code> creates a bucket to persist data from the FTP server. It's set to automatically delete data and remove itself on <code>cdk destroy</code>.</li> <li> <code>SecurityStuff</code> creates an <code>IAM Role</code> with permissions to read and write to the FTP bucket and access the <code>Secret</code> that stores the password for the <code>ftpUser</code> account we will create on the EC2 instance. <code>SecurityStuff</code> also creates an <code>EC2 Security Group</code> inside our <code>VPC</code> which allows <code>SSH</code> and <code>FTP</code> access into the EC2 instance. Additionally, we open ports which will be used for the data connection with <code>VSFTPD</code> </li> <li>Finally, <code>ec2InstanceStuff</code> creates and configures the EC2 instance. The instance is based on <a href="https://aws.amazon.com/amazon-linux-2/faqs/" rel="noopener noreferrer"><code>Amazon Linux 2</code></a> </li> </ol> <p>The EC2 instance Public IP and the FTP Bucket name gets output upon successful deploy.</p> <h2> Method </h2> <p><a href="https://aws.amazon.com/cdk/" rel="noopener noreferrer"><code>AWS CDK</code></a> is used to synthesize the <code>CloudFormation</code> template that will deploy our architecture and also configure the server.</p> <p>We configure the EC2 instance using <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html" rel="noopener noreferrer">EC2 UserData</a> stored as a bash script in <code>lib/ec2-setup.sh</code>. We also use <a href="https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CloudFormationInit.html" rel="noopener noreferrer"><code>CloudFormationInit</code></a> to store a slightly customized <code>vsftpd.conf</code> file.</p> <h2> Things you need to do yourself </h2> <ol> <li>Make a secret on <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html" rel="noopener noreferrer"><code>AWS Secrets Manager</code></a> for your ftp user password. You'll use this when connecting to the server.</li> <li>Fix references to your secret. I named by secret "ftpUser_Password". You'll find references to this in the <code>ec2InstanceStuff</code> and <code>securityStuff</code> constructs in <code>lib/ftp-server-stack.ts</code> </li> <li>Create a <code>Key Pair</code> using the <code>AWS EC2 Console</code>. You'll need this to access the instance by SSH.</li> <li>Fix references to the <code>Key Pair</code>. I've named mine <code>"RiceCooker_FTP_Server"</code> - this needs to match the <code>Key Pair</code> that you just made.</li> <li>Copy the repo and <code>cdk deploy</code>!</li> </ol> <h2> Conclusion </h2> <p>In researching this solution I ran into many different ways people were trying to make an affordable FTP server. Some used ECS, others were deploying docker containers onto an EC2 instance (<a href="https://github.com/d-t-o/aws-vsftpd/tree/master" rel="noopener noreferrer">main inspiration</a>). I always prefer a repeatable approach using <code>CDK</code>, so I combined a number of these posts into something that is easy for anyone to deploy.</p> <p>I hope you found this useful - let me know!</p> aws cdk ftp tutorial Python AWS CDK Pipelines with NodeJS Dependencies Wesley Cheek Wed, 27 Sep 2023 04:17:04 +0000 https://dev.to/wesleycheek/python-aws-cdk-pipelines-with-nodejs-dependencies-2ai9 https://dev.to/wesleycheek/python-aws-cdk-pipelines-with-nodejs-dependencies-2ai9 <p><a href="https://docs.aws.amazon.com/cdk/v2/guide/cdk_pipeline.html">AWS CDK Pipelines</a> are a fantastic way to deploy your infrastructure using CI/CD practices.</p> <p>The pipeline, using AWS CodeBuild and CodePipeline, can reproducibly build and deploy both your front-end and back-end applications. But how can we use Python to build the pipeline, but then deploy Lambda Functions written in <code>JavaScript</code> or <code>TypeScript</code>?</p> <p>This has been a bit of a tricky problem for me, because most examples found online are for <code>AWS CDK</code> projects written in <code>TypeScript</code>. We need to add an additional step to our pipelines if we want our NodeJS Lambda Functions to get built with dependencies.</p> <p>TLDR: Simply run <code>npm i</code> in your shell step and your dependencies detailed in your root <code>package.json</code> file will be available when CodeBuild is building your NodeJS functions.</p> <p>With AWS CDK Pipelines, there is no need to specify dependencies in each individual function folder. Instead, specify all of them at the root of your project in a <code>package.json</code> file. When <code>npm i</code> is run in the pipeline's shell step, these dependencies become available for all of your NodeJS functions to build with.</p> <p>I provide a full example below.</p> <p>Let's build our stack, stage, and pipeline in Python flavored AWS CDK!</p> <h2> STACK WITH NODEJS LAMBDA FUNCTION </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># stacks/backend_stack.py </span><span class="kn">from</span> <span class="nn">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="nn">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_lambda_nodejs</span> <span class="k">as</span> <span class="n">_lambda_nodejs</span> <span class="kn">from</span> <span class="nn">aws_cdk</span> <span class="kn">import</span> <span class="n">Stack</span> <span class="k">class</span> <span class="nc">BackendStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span> <span class="bp">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nb">super</span><span class="p">().</span><span class="n">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="bp">self</span><span class="p">.</span><span class="n">backend_lambda</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">build_backend_lambda</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_backend_lambda</span><span class="p">():</span> <span class="s">""" Example NodeJS lambda """</span> <span class="c1"># Here I instantiate a lambda function which is written in Javascript or Typescript. The file app.js exports a function called handler. </span> <span class="n">backend_lambda</span> <span class="o">=</span> <span class="n">_lambda_nodejs</span><span class="p">.</span><span class="n">NodejsFunction</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="bp">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="s">"backendLambda"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">NODEJS_16_X</span><span class="p">,</span> <span class="c1"># type: ignore </span> <span class="n">entry</span><span class="o">=</span><span class="s">"lambda_funcs/backend/app.js"</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="s">"handler"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h2> STAGE </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="nn">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="nn">stacks.backend_stack</span> <span class="kn">import</span> <span class="n">BackendStack</span> <span class="k">class</span> <span class="nc">BackendStage</span><span class="p">(</span><span class="n">Stage</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="nb">super</span><span class="p">().</span><span class="n">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="nb">id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="p">)</span> <span class="bp">self</span><span class="p">.</span><span class="n">backend</span> <span class="o">=</span> <span class="n">BackendStack</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="bp">self</span><span class="p">,</span> <span class="n">construct_id</span><span class="o">=</span><span class="s">"Backend"</span> <span class="p">)</span> </code></pre> </div> <h2> PIPELINE </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">from</span> <span class="nn">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_secretsmanager</span> <span class="k">as</span> <span class="n">secretsmanager</span> <span class="kn">from</span> <span class="nn">aws_cdk.aws_codebuild</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">BuildEnvironment</span><span class="p">,</span> <span class="n">ComputeType</span><span class="p">,</span> <span class="n">LinuxBuildImage</span><span class="p">,</span> <span class="p">)</span> <span class="kn">from</span> <span class="nn">aws_cdk.aws_codepipeline_actions</span> <span class="kn">import</span> <span class="n">GitHubTrigger</span> <span class="kn">from</span> <span class="nn">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">PipelineStack</span><span class="p">(</span><span class="n">cdk</span><span class="p">.</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span> <span class="bp">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nb">super</span><span class="p">().</span><span class="n">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">github_secret</span> <span class="o">=</span> <span class="n">secretsmanager</span><span class="p">.</span><span class="n">Secret</span><span class="p">.</span><span class="n">from_secret_name_v2</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="bp">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="s">"github_secret"</span><span class="p">,</span> <span class="n">secret_name</span><span class="o">=</span><span class="s">"Github_Personal_Access_Token"</span><span class="p">,</span> <span class="p">)</span> <span class="n">code_build</span> <span class="o">=</span> <span class="n">pipelines</span><span class="p">.</span><span class="n">CodeBuildOptions</span><span class="p">(</span> <span class="n">build_environment</span><span class="o">=</span><span class="n">BuildEnvironment</span><span class="p">(</span> <span class="n">build_image</span><span class="o">=</span><span class="n">LinuxBuildImage</span><span class="p">.</span><span class="n">STANDARD_5_0</span><span class="p">,</span> <span class="n">compute_type</span><span class="o">=</span><span class="n">ComputeType</span><span class="p">.</span><span class="n">SMALL</span><span class="p">,</span> <span class="p">)</span> <span class="p">)</span> <span class="c1"># This pipeline deploys a cdk stack </span> <span class="n">pipeline</span> <span class="o">=</span> <span class="n">pipelines</span><span class="p">.</span><span class="n">CodePipeline</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="bp">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="s">"Pipeline"</span><span class="p">,</span> <span class="n">code_build_defaults</span><span class="o">=</span><span class="n">code_build</span><span class="p">,</span> <span class="n">synth</span><span class="o">=</span><span class="n">pipelines</span><span class="p">.</span><span class="n">ShellStep</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="s">"Synth"</span><span class="p">,</span> <span class="nb">input</span><span class="o">=</span><span class="n">pipelines</span><span class="p">.</span><span class="n">CodePipelineSource</span><span class="p">.</span><span class="n">git_hub</span><span class="p">(</span> <span class="n">repo_string</span><span class="o">=</span><span class="s">"USERNAME/REPOSITORY"</span><span class="p">,</span> <span class="n">branch</span><span class="o">=</span><span class="s">"dev"</span><span class="p">,</span> <span class="n">authentication</span><span class="o">=</span><span class="n">github_secret</span><span class="p">.</span><span class="n">secret_value_from_json</span><span class="p">(</span> <span class="n">key</span><span class="o">=</span><span class="s">"github_access_token"</span> <span class="p">),</span> <span class="n">trigger</span><span class="o">=</span><span class="n">GitHubTrigger</span><span class="p">.</span><span class="n">WEBHOOK</span><span class="p">,</span> <span class="p">),</span> <span class="n">commands</span><span class="o">=</span><span class="p">[</span> <span class="s">"pip install -r requirements.txt"</span><span class="p">,</span> <span class="s">"npm i"</span><span class="p">,</span> <span class="c1"># This is the essential step for this article </span> <span class="s">"npm install -g aws-cdk"</span><span class="p">,</span> <span class="s">"cdk synth"</span><span class="p">,</span> <span class="p">],</span> <span class="p">),</span> <span class="n">docker_enabled_for_synth</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">pipeline</span><span class="p">.</span><span class="n">add_stage</span><span class="p">(</span> <span class="n">BackendStage</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="bp">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="s">"backend"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>Good luck!</p> aws cdk node python Lapce Typescript Support Wesley Cheek Thu, 21 Sep 2023 07:55:56 +0000 https://dev.to/wesleycheek/lapce-typescript-support-b24 https://dev.to/wesleycheek/lapce-typescript-support-b24 <p>I've been looking for a decent alternative to <code>VS Code</code> for a long time. I love <code>VS Code</code> but let's face it: it's slow and bloated if you're not on some good hardware.</p> <p>I just discovered <a href="https://lapce.dev"><code>Lapce</code></a> and was immediately impressed by its potential. It's an open-source text editor fully written in Rust, it's lightning-fast, and already has some nice features out of the box like native modal-editing (vim), language features through LSP providers, decent <code>Git</code> support, and an integrated terminal.</p> <p>I'm posting this, because for whatever reason, getting <code>Typescript</code> support working was a pain in the ass.</p> <p>1.<br> Install <code>typescript-language-server</code> and <code>typescript</code> (Requires <code>NodeJS</code>) via <code>npm</code> or your system package manager:</p> <p><code>npm i --global typescript-language-server@2 typescript</code><br> <strong>The plugin page did not specify the <code>@2</code> version, may have been my problem.</strong></p> <p>Server needs to be in one of the paths included in PATH environment variable.<br> <strong>This turned out to not work for me, may have also been my problem.</strong></p> <p>2.<br> Add the <a href="https://github.com/panekj/lapce-typescript">TS / JS plugin</a> to <code>Lapce</code>.</p> <p>3.<br> Edit the <code>Lapce</code> settings file by pressing <code>Ctrl + Alt + P</code> and typing <code>settings file</code>. Add these settings to the end:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[lapce-typescript.volt]</span> <span class="py">serverPath</span> <span class="p">=</span> <span class="s">"C:/Users/username/AppData/Roaming/npm/typescript-language-server.cmd"</span> <span class="py">serverArgs</span> <span class="p">=</span> <span class="nn">["--stdio"]</span> </code></pre> </div> <p>Where the <code>serverPath</code> is going to be specific to where <code>npm</code> puts global installs.</p> <p><code>Lapce</code> is still missing a few things and it's modal support is adequate at best, but it's okay since it's still in <em>Pre-Alpha</em>. For the speed, I'm going to consider the lack of features a decent trade-off. I look forward to see where it goes from here! </p> <p>If you try <code>Lapce</code>, let me know! </p> lapce typescript Python Script to Quickly Delete S3 Buckets Wesley Cheek Tue, 15 Nov 2022 05:50:59 +0000 https://dev.to/wesleycheek/python-script-to-quickly-delete-s3-buckets-22b2 https://dev.to/wesleycheek/python-script-to-quickly-delete-s3-buckets-22b2 <p>I got frustrated having to empty and delete S3 buckets using the AWS Console, so I created a <code>Python</code> script to do it for me!</p> <p><strong>WARNING: This method bypasses all of the usual safety associated with deleting buckets with the <code>AWS Console</code>, so make absolutely sure you want to delete your bucket before running this script.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Use the boto3 library to communicate with AWS </span><span class="kn">import</span> <span class="nn">boto3</span> <span class="c1"># Buckets you want to delete, specified by their names </span><span class="n">BUCKETS</span> <span class="o">=</span> <span class="p">[</span> <span class="s">"bucket-one"</span><span class="p">,</span> <span class="s">"bucket-two"</span><span class="p">,</span> <span class="p">]</span> <span class="n">s3</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">resource</span><span class="p">(</span><span class="s">"s3"</span><span class="p">)</span> <span class="k">for</span> <span class="n">bucket_name</span> <span class="ow">in</span> <span class="n">BUCKETS</span><span class="p">:</span> <span class="c1"># For each bucket, create a resource object with boto3 </span> <span class="n">bucket</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="n">Bucket</span><span class="p">(</span><span class="n">bucket_name</span><span class="p">)</span> <span class="c1"># Delete all of the objects in the bucket </span> <span class="n">bucket</span><span class="p">.</span><span class="n">object_versions</span><span class="p">.</span><span class="n">delete</span><span class="p">()</span> <span class="c1"># Delete the bucket itself! </span> <span class="n">bucket</span><span class="p">.</span><span class="n">delete</span><span class="p">()</span> </code></pre> </div> aws s3 python Storing your data in a Plotly Dash data dashboard Wesley Cheek Mon, 12 Sep 2022 00:59:25 +0000 https://dev.to/wesleycheek/storing-your-data-in-a-plotly-dash-data-dashboard-1e3o https://dev.to/wesleycheek/storing-your-data-in-a-plotly-dash-data-dashboard-1e3o <p><a href="https://dash.plotly.com/introduction"><code>Plotly Dash</code></a> is a great framework for developing interactive data dashboards using Python, R, and Javascript. It works alongside <a href="https://plotly.com"><code>Plotly</code></a> to bring your beautiful visualizations to the masses.</p> <p>One problem that is oftentimes encountered when developing <code>Dash</code> apps is being able to pass data around your app. Luckily, this is easy to do for small datasets using the <a href="https://dash.plotly.com/dash-core-components/store"><code>dcc.Store</code></a> component. <code>dcc.Store</code> stores your data as a <code>JSON</code> object inside a user's browser. </p> <p>The most common library for working with data in a data scientist's tool kit is <code>pandas</code>, so how can we store a <code>pandas DataFrame</code> in our dash app? It's easy, but there are some things to keep in mind.</p> <p>1) 'special' data types aren't going to be <code>JSON</code> serializable. You need to convert your <code>TimeDelta</code>s and <code>DateTime</code> data types to a <code>str</code> or <code>float</code>.<br> 2) You will lose your <code>index</code> information in the data conversation, so be sure to <code>pd.DataFrame.reset_index()</code> before you store your <code>DataFrame</code></p> <h3> Create the data store in your app </h3> <p><code>dcc.Store</code> can be placed anywhere in your app's layout.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">dash</span> <span class="kn">import</span> <span class="n">dcc</span> <span class="k">def</span> <span class="nf">layout</span><span class="p">():</span> <span class="k">return</span> <span class="n">html</span><span class="p">.</span><span class="n">Div</span><span class="p">(</span> <span class="p">[</span> <span class="n">dcc</span><span class="p">.</span><span class="n">Store</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="s">"current-data"</span><span class="p">),</span> <span class="n">dcc</span><span class="p">.</span><span class="n">Graph</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="s">"graph"</span><span class="p">)</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <h3> Store a <code>Pandas DataFrame</code> using <code>dcc.Store</code> </h3> <p>Now to store the dataframe, you can use the <code>pd.DataFrame.to_json()</code> method, after resetting its index.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="o">@</span><span class="n">callback</span><span class="p">(</span> <span class="n">output</span><span class="o">=</span><span class="p">[</span><span class="n">Output</span><span class="p">(</span><span class="s">"current-data"</span><span class="p">,</span> <span class="s">"data"</span><span class="p">)],</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">store_current_data</span><span class="p">():</span> <span class="c1"># Some loading from file/remote and data processing </span> <span class="k">return</span> <span class="p">[</span><span class="n">data</span><span class="p">.</span><span class="n">reset_index</span><span class="p">().</span><span class="n">to_json</span><span class="p">(</span><span class="n">orient</span><span class="o">=</span><span class="s">"split"</span><span class="p">)]</span> </code></pre> </div> <h3> Access a <code>Pandas DataFrame</code> stored in <code>dcc.Store</code> </h3> <p>Now we can <code>pd.read_json()</code> to retrieve the <code>DataFrame</code> from the store in a different callback! Return a <code>Plotly Figure</code> to a <code>dcc.Graph</code> output to plot your data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="o">@</span><span class="n">callback</span><span class="p">(</span> <span class="n">inputs</span><span class="o">=</span><span class="p">[</span><span class="n">Input</span><span class="p">(</span><span class="s">"current-data"</span><span class="p">,</span> <span class="s">"data"</span><span class="p">)],</span> <span class="n">output</span><span class="o">=</span><span class="p">[</span><span class="n">Output</span><span class="p">(</span><span class="s">"graph"</span><span class="p">,</span> <span class="s">"figure"</span><span class="p">)]</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">retrieve_current_data_and_plot</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="n">df</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="n">read_json</span><span class="p">(</span><span class="n">orient</span><span class="o">=</span><span class="s">"split"</span><span class="p">)</span> <span class="c1"># You can `set_index` here to get your original index back. </span> <span class="c1"># Create plotly figure here to display our data! </span> <span class="n">fig</span> <span class="o">=</span> <span class="p">...</span> <span class="k">return</span> <span class="p">[</span><span class="n">fig</span><span class="p">]</span> </code></pre> </div> <p><code>dcc.Store</code> is a great way to centralize data processing and allow data to be accessed across your app.</p> datascience plotly dash visualization Make VS Code Faster for Python Auto-Completion Wesley Cheek Mon, 25 Jul 2022 03:01:00 +0000 https://dev.to/wesleycheek/make-vs-code-faster-for-python-auto-completion-49p8 https://dev.to/wesleycheek/make-vs-code-faster-for-python-auto-completion-49p8 <p>I've always struggled with how slow <code>Pylance</code> <code>IntelliSense</code> becomes when a project gets large. It turns out that with a minor tweak, my system is super speedy again!</p> <p>Try adding a <a href="https://github.com/microsoft/pyright/blob/main/docs/configuration.md"><code>pyrightconfig.json</code> file</a> to the root of your project. By excluding folders that you don't need to be indexing (<code>node_modules</code>, <code>cdk.out</code>, etc.) you may see a significant boost.</p> <p>Here is a simple example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"include"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"."</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"exclude"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"**/node_modules"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/cdk.out"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/.pytest_cache"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/build"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/dist"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/.vscode"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/__pycache__"</span><span class="p">,</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"reportMissingImports"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Share any other tips you have in the comments!</p> python vscode Securely Use Secrets In Your AWS CDK Deployed Lambda Function Wesley Cheek Fri, 13 May 2022 07:35:51 +0000 https://dev.to/wesleycheek/securely-use-secrets-in-your-aws-cdk-deployed-lambda-function-1ebb https://dev.to/wesleycheek/securely-use-secrets-in-your-aws-cdk-deployed-lambda-function-1ebb <p>Have you ever needed secure access to things like login details in your Lambda functions? You might need to connect to a database or other service, but you don’t want to need to hard-code your credentials. Well, let’s use best security practices by getting our login details using <code>AWS Secrets Manager</code>!</p> <p>I will be using Python flavored <code>AWS CDK</code> to deploy a Lambda function which has permissions to access a secret stored in <code>Secrets Manager</code>. I will also show you how to retrieve this secret securely inside your lambda function.</p> <p>See the GitHub repository <a href="https://github.com/wcheek/CDK_Lambda_Secrets" rel="noopener noreferrer">here</a>.</p> <p>Before getting into the CDK components, let’s create an example secret using AWS CLI:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws secretsmanager create-secret <span class="nt">--name</span> secretsExample <span class="nt">--secret-string</span> <span class="s2">"TestPass123"</span> </code></pre> </div> <h2> Stack Design </h2> <blockquote> <p>cdk_lambda_secrets/cdk_lambda_secrets_stack.py</p> </blockquote> <p>Here we build the CDK stack by creating a lambda function and giving it permission to read our secret. We can pass the name of the secret into the lambda function as an environment variable to save ourselves some repetition.</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">Stack</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">_lambda</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_secretsmanager</span> <span class="k">as</span> <span class="n">secrets</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">CdkLambdaSecretsStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_lambda_func</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_lambda_func</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">secret_name</span> <span class="o">=</span> <span class="sh">"</span><span class="s">secretsExample</span><span class="sh">"</span> <span class="n">self</span><span class="p">.</span><span class="n">secrets_lambda</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">LambdaWithSecrets</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_9</span><span class="p">,</span> <span class="n">function_name</span><span class="o">=</span><span class="sh">"</span><span class="s">LambdaWithSecretsExample</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_funcs/lambda_with_secrets</span><span class="sh">"</span> <span class="p">),</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_with_secrets.handler</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># We need these env vars to access the secret inside the lambda </span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">secret_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">secret_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">secret_region</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">CDK_DEFAULT_REGION</span><span class="sh">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">)</span> <span class="c1"># Grant permission to the Lambda func to access the secret </span> <span class="n">example_secret</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="n">Secret</span><span class="p">.</span><span class="nf">from_secret_name_v2</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">secretExample</span><span class="sh">"</span><span class="p">,</span> <span class="n">secret_name</span><span class="o">=</span><span class="n">secret_name</span> <span class="p">)</span> <span class="n">example_secret</span><span class="p">.</span><span class="nf">grant_read</span><span class="p">(</span><span class="n">grantee</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">secrets_lambda</span><span class="p">)</span> </code></pre> </div> <h2> Lambda Function </h2> <blockquote> <p>lambda_funcs/lambda_with_secrets/lambda_with_secrets.py</p> </blockquote> <p>Here we define a lambda function with a helper function <code>get_secrets()</code>. This is a very slightly modified version of the ‘Sample code’ function suggested by AWS when you look at the secret in the AWS Console. Rather than use the <code>ARN</code> to access the secret, we can simply use the name of the secret. I found that I was unable to get the <code>full ARN</code> of the secret using CDK, but luckily <code>get_secret_value()</code> accepts the secret name for its <code>SecretId</code> parameter.</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="k">def</span> <span class="nf">get_secret</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Gets the secret </span><span class="sh">"""</span> <span class="c1"># Get env vars we passed in the stack. </span> <span class="n">secret_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">secret_name</span><span class="sh">"</span><span class="p">)</span> <span class="n">region_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">secret_region</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Create a Secrets Manager client </span> <span class="n">session</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="n">client</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">secretsmanager</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="n">region_name</span> <span class="p">)</span> <span class="c1"># In this sample we only handle the specific exceptions for the 'GetSecretValue' API. </span> <span class="c1"># See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html </span> <span class="c1"># We rethrow the exception by default. </span> <span class="k">try</span><span class="p">:</span> <span class="c1"># We need only the name of the secret </span> <span class="n">get_secret_value_response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get_secret_value</span><span class="p">(</span> <span class="n">SecretId</span><span class="o">=</span><span class="n">secret_name</span> <span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Error</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">Code</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">DecryptionFailureException</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># Secrets Manager can't decrypt the protected secret text using the provided KMS key. </span> <span class="c1"># Deal with the exception here, and/or rethrow at your discretion. </span> <span class="k">raise</span> <span class="n">e</span> <span class="k">elif</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Error</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">Code</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">InternalServiceErrorException</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># An error occurred on the server side. </span> <span class="c1"># Deal with the exception here, and/or rethrow at your discretion. </span> <span class="k">raise</span> <span class="n">e</span> <span class="k">elif</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Error</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">Code</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">InvalidParameterException</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># You provided an invalid value for a parameter. </span> <span class="c1"># Deal with the exception here, and/or rethrow at your discretion. </span> <span class="k">raise</span> <span class="n">e</span> <span class="k">elif</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Error</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">Code</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">InvalidRequestException</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># You provided a parameter value that is not valid for the current state of the resource. </span> <span class="c1"># Deal with the exception here, and/or rethrow at your discretion. </span> <span class="k">raise</span> <span class="n">e</span> <span class="k">elif</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Error</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">Code</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ResourceNotFoundException</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># We can't find the resource that you asked for. </span> <span class="c1"># Deal with the exception here, and/or rethrow at your discretion. </span> <span class="k">raise</span> <span class="n">e</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="n">e</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># Decrypts secret using the associated KMS key. </span> <span class="c1"># Depending on whether the secret is a string or binary, one of these fields will be populated. </span> <span class="k">if</span> <span class="sh">"</span><span class="s">SecretString</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">get_secret_value_response</span><span class="p">:</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">get_secret_value_response</span><span class="p">[</span><span class="sh">"</span><span class="s">SecretString</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># If you have multiple secret values, you will need to json.loads(secret) here and then access the values using dict keys </span> <span class="k">return</span> <span class="n">secret</span> <span class="k">else</span><span class="p">:</span> <span class="n">decoded_binary_secret</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span> <span class="n">get_secret_value_response</span><span class="p">[</span><span class="sh">"</span><span class="s">SecretBinary</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">decoded_binary_secret</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">secret</span> <span class="o">=</span> <span class="nf">get_secret</span><span class="p">()</span> <span class="c1"># Don't do this in production!!! </span> <span class="k">return</span> <span class="n">secret</span> </code></pre> </div> <p><code>cdk deploy</code> this stack and you should have a working example.</p> <h2> Test the Lambda Function </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fubrjwrdmskha04crzghi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fubrjwrdmskha04crzghi.png" alt="Lambda test results"></a></p> <p>The Lambda function successfully retrieved the secret value from <code>AWS Secrets Manager</code>!</p> <h2> Tear Down </h2> <p>To delete the secret we created:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws secretsmanager delete-secret <span class="nt">--secret-id</span> secretsExample </code></pre> </div> <p>Destroy your stack:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cdk destroy </code></pre> </div> <p>Enjoy!</p> aws cdk lambda python Put a Tensorflow model into production with AWS Lambda, Docker, and AWS CDK Wesley Cheek Fri, 22 Apr 2022 01:39:26 +0000 https://dev.to/wesleycheek/put-a-tensorflow-model-into-production-with-aws-lambda-and-aws-cdk-1jg6 https://dev.to/wesleycheek/put-a-tensorflow-model-into-production-with-aws-lambda-and-aws-cdk-1jg6 <p>To allow us to deploy a Tensorflow model on Lambda, I will pull concepts together from my previous articles. This article is about deploying a model on Lambda, so I will not be talking about training the model or using it.</p> <ul> <li> To build a Lambda function large enough to hold the <code>Tensorflow</code> library, we will need to <a href="https://dev.to/wesleycheek/deploy-a-docker-built-lambda-function-with-aws-cdk-fio">deploy our Lambda function using a Docker container stored on ECR</a>. </li> <li> To improve prediction times, we can <a href="https://dev.to/wesleycheek/lambda-function-with-persistent-file-store-using-aws-cdk-and-aws-efs-45h8">store our models in a filesystem attached to our Lambda function</a>. This mostly avoids having to load the models from <code>S3</code>.</li> <li> To get prediction results, we will use <a href="https://dev.to/wesleycheek/aws-lambda-function-urls-with-aws-cdk-58ih">Lambda function URLs</a> to expose an HTTPS endpoint we can query using HTTP GET (<a href="https://dev.to/wesleycheek/deploy-an-api-fronted-lambda-function-using-aws-cdk-2nch">another option is to use an API Gateway</a>).</li> <li> <a href="https://dev.to/wesleycheek/saveload-tensorflow-sklearn-pipelines-from-local-and-aws-s3-34dc">To save and load our models</a>, we will use Joblib.</li> </ul> <p>The Github repository can be found <a href="https://github.com/wcheek/CDK_Tensorflow" rel="noopener noreferrer">here</a>.</p> <p>Let’s get started building our stack and function!</p> <h2> Stack Design </h2> <p>I’ve tried to make this design as minimal as possible while keeping the features we are looking for: a docker deployed Lambda function with <code>Tensorflow</code> installed, including an attached file system, and with an HTTPS endpoint which can be queried with an HTTP GET message.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">CfnOutput</span> <span class="k">as</span> <span class="n">Output</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">CfnResource</span><span class="p">,</span> <span class="n">Duration</span><span class="p">,</span> <span class="n">RemovalPolicy</span><span class="p">,</span> <span class="n">Stack</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_ec2</span> <span class="k">as</span> <span class="n">ec2</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_efs</span> <span class="k">as</span> <span class="n">efs</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">_lambda</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_s3</span> <span class="k">as</span> <span class="n">s3</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_s3_deployment</span> <span class="k">as</span> <span class="n">s3_deployment</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">CdkTensorflowStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># Let's list all of our physical resources getting deployed </span> <span class="n">self</span><span class="p">.</span><span class="n">vpc</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">access_point</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">prediction_lambda</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">models_bucket</span> <span class="o">=</span> <span class="bp">None</span> <span class="c1"># convenient deployment </span> <span class="n">self</span><span class="p">.</span><span class="nf">build_infrastructure</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_infrastructure</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_vpc</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_filesystem</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_lambda</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_bucket</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_function_url</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_vpc</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># Need the VPC for the lambda filesystem </span> <span class="n">self</span><span class="p">.</span><span class="n">vpc</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">VPC</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc_name</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleVPC</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">build_filesystem</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">file_system</span> <span class="o">=</span> <span class="n">efs</span><span class="p">.</span><span class="nc">FileSystem</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleEFS</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">file_system_name</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleEFS</span><span class="sh">"</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># create a new access point from the filesystem </span> <span class="n">self</span><span class="p">.</span><span class="n">access_point</span> <span class="o">=</span> <span class="n">file_system</span><span class="p">.</span><span class="nf">add_access_point</span><span class="p">(</span> <span class="sh">"</span><span class="s">AccessPoint</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># set /export/lambda as the root of the access point </span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">/export/lambda</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># as /export/lambda does not exist in a new efs filesystem, the efs will create the directory with the following createAcl </span> <span class="n">create_acl</span><span class="o">=</span><span class="n">efs</span><span class="p">.</span><span class="nc">Acl</span><span class="p">(</span> <span class="n">owner_uid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">,</span> <span class="n">owner_gid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">,</span> <span class="n">permissions</span><span class="o">=</span><span class="sh">"</span><span class="s">750</span><span class="sh">"</span> <span class="p">),</span> <span class="c1"># enforce the POSIX identity so lambda function will access with this identity </span> <span class="n">posix_user</span><span class="o">=</span><span class="n">efs</span><span class="p">.</span><span class="nc">PosixUser</span><span class="p">(</span><span class="n">uid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">,</span> <span class="n">gid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">build_lambda</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">prediction_lambda</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">DockerImageFunction</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">TensorflowLambda</span><span class="sh">"</span><span class="p">,</span> <span class="n">function_name</span><span class="o">=</span><span class="sh">"</span><span class="s">TensorflowLambda</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">DockerImageCode</span><span class="p">.</span><span class="nf">from_image_asset</span><span class="p">(</span> <span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_funcs/TensorflowLambda</span><span class="sh">"</span> <span class="p">),</span> <span class="c1"># I've found inferences can be made with my simple model in &lt; 20 sec </span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mf">0.5</span><span class="p">),</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">128</span> <span class="o">*</span> <span class="mi">6</span> <span class="o">*</span> <span class="mi">1</span><span class="p">,</span> <span class="c1"># mb </span> <span class="c1"># Attach the EFS file system </span> <span class="n">filesystem</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">FileSystem</span><span class="p">.</span><span class="nf">from_efs_access_point</span><span class="p">(</span> <span class="n">ap</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">access_point</span><span class="p">,</span> <span class="n">mount_path</span><span class="o">=</span><span class="sh">"</span><span class="s">/mnt/models</span><span class="sh">"</span> <span class="p">)</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">access_point</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="c1"># Needs to be placed in the same VPC as the EFS file system </span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">build_bucket</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">models_bucket</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleModelsBucket</span><span class="sh">"</span><span class="p">,</span> <span class="n">bucket_name</span><span class="o">=</span><span class="sh">"</span><span class="s">models-bucket</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># These settings will make sure things get deleted when we take down the stack </span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="n">auto_delete_objects</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># We can add files to our new bucket from a local source </span> <span class="n">s3_deployment</span><span class="p">.</span><span class="nc">BucketDeployment</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">save_model_to_s3</span><span class="sh">"</span><span class="p">,</span> <span class="n">sources</span><span class="o">=</span><span class="p">[</span><span class="n">s3_deployment</span><span class="p">.</span><span class="n">Source</span><span class="p">.</span><span class="nf">asset</span><span class="p">(</span><span class="sh">"</span><span class="s">model_files</span><span class="sh">"</span><span class="p">)],</span> <span class="n">destination_bucket</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">models_bucket</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Make sure to give the lambda permission to retrieve the model file </span> <span class="n">self</span><span class="p">.</span><span class="n">models_bucket</span><span class="p">.</span><span class="nf">grant_read</span><span class="p">(</span><span class="n">identity</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">prediction_lambda</span><span class="p">)</span> <span class="k">def</span> <span class="nf">build_function_url</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># Set up the Lambda Function URL </span> <span class="n">cfnFuncUrl</span> <span class="o">=</span> <span class="nc">CfnResource</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">lambdaFuncUrl</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS::Lambda::Url</span><span class="sh">"</span><span class="p">,</span> <span class="n">properties</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">TargetFunctionArn</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">prediction_lambda</span><span class="p">.</span><span class="n">function_arn</span><span class="p">,</span> <span class="sh">"</span><span class="s">AuthType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">NONE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cors</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">AllowOrigins</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">]},</span> <span class="p">},</span> <span class="p">)</span> <span class="c1"># Give everyone permission to invoke the Function URL </span> <span class="nc">CfnResource</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">funcURLPermission</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS::Lambda::Permission</span><span class="sh">"</span><span class="p">,</span> <span class="n">properties</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">FunctionName</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">prediction_lambda</span><span class="p">.</span><span class="n">function_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">Principal</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">lambda:InvokeFunctionUrl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">FunctionUrlAuthType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">NONE</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">)</span> <span class="c1"># Get the Function URL as output </span> <span class="nc">Output</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">funcURLOutput</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">cfnFuncUrl</span><span class="p">.</span><span class="nf">get_att</span><span class="p">(</span><span class="n">attribute_name</span><span class="o">=</span><span class="sh">"</span><span class="s">FunctionUrl</span><span class="sh">"</span><span class="p">).</span><span class="nf">to_string</span><span class="p">(),</span> <span class="p">)</span> </code></pre> </div> <h2> Lambda Function Design </h2> <h3> cdk_tensorflow/lambda_funcs/TensorflowLambda/tensorflow_lambda.py </h3> <p>Again, trying to show a minimum working example. This Lambda function will try to load the model from the EFS. If it can’t be found (like on first run), it copies the model from the S3 bucket we created, saves it to EFS, and loads it again. Once we have the model loaded we can use it to make inferences. The handler will send the inference back to the client which queried it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># import tempfile </span><span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Tuple</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">joblib</span> <span class="k">def</span> <span class="nf">get_model</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">Tuple</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Gets model from EFS if exists. Otherwise load model from S3, save to EFS </span><span class="sh">"""</span> <span class="n">local_path</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">/mnt/models/model.tensorflow</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">local_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">rb</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">model</span> <span class="o">=</span> <span class="n">joblib</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">except</span> <span class="nb">FileNotFoundError</span><span class="p">:</span> <span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">s3</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Save model to EFS </span> <span class="n">client</span><span class="p">.</span><span class="nf">download_file</span><span class="p">(</span> <span class="sh">"</span><span class="s">models-bucket</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">model.tensorflow</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">local_path</span><span class="p">),</span> <span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">local_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">rb</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">model</span> <span class="o">=</span> <span class="n">joblib</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">return</span> <span class="n">model</span> <span class="n">model</span> <span class="o">=</span> <span class="nf">get_model</span><span class="p">()</span> <span class="k">def</span> <span class="nf">get_prediction</span><span class="p">(</span><span class="n">model</span><span class="p">,</span> <span class="n">input_data</span><span class="p">):</span> <span class="c1"># Do what you need to do to feed input data to your model </span> <span class="k">return</span> <span class="mi">1</span> <span class="c1"># return output_data </span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># This is the data we get from the client query </span> <span class="n">data</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">queryStringParameters</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># I pass the data as a list to the API, but it gets converted into a string. </span> <span class="c1"># This is some fancy way to get back the list from the str(list) </span> <span class="n">split_str</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">)</span> <span class="n">formatted_data</span> <span class="o">=</span> <span class="p">(</span> <span class="p">[</span><span class="nf">float</span><span class="p">(</span><span class="n">split_str</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">[</span><span class="sh">"</span><span class="p">)[</span><span class="o">-</span><span class="mi">1</span><span class="p">])]</span> <span class="o">+</span> <span class="p">[</span><span class="nf">float</span><span class="p">(</span><span class="n">y</span><span class="p">)</span> <span class="k">for</span> <span class="n">y</span> <span class="ow">in</span> <span class="n">split_str</span><span class="p">[</span><span class="mi">1</span><span class="p">:</span><span class="o">-</span><span class="mi">1</span><span class="p">]]</span> <span class="o">+</span> <span class="p">[</span><span class="nf">float</span><span class="p">(</span><span class="n">split_str</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">]</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">])]</span> <span class="p">)</span> <span class="k">assert</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">formatted_data</span><span class="p">,</span> <span class="nb">list</span><span class="p">)</span> <span class="c1"># Get a prediction by feeding your formatted input data into model </span> <span class="n">prediction</span> <span class="o">=</span> <span class="nf">get_prediction</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">input_data</span><span class="o">=</span><span class="n">formatted_data</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">isBase64Encoded</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">The predicted value is </span><span class="si">{</span><span class="n">prediction</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <h3> cdk_tensorflow/lambda_funcs/TensorflowLambda/Dockerfile </h3> <p>Provides build instructions to build the Lambda function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> amazon/aws-lambda-python:latest</span> <span class="k">LABEL</span><span class="s"> maintainer="Wesley Cheek"</span> <span class="k">RUN </span>yum update <span class="nt">-y</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span> yum <span class="nb">install</span> <span class="nt">-y</span> python3 python3-dev python3-pip gcc <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-Rf</span> /var/cache/yum <span class="k">COPY</span><span class="s"> requirements.txt ./</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="k">COPY</span><span class="s"> tensorflow_lambda.py ./</span> <span class="k">CMD</span><span class="s"> ["tensorflow_lambda.handler"]</span> </code></pre> </div> <h3> cdk_tensorflow/lambda_funcs/TensorflowLambda/requirements.txt </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>joblib # I use tensorflow-cpu because it's half the size of the gpu version and Lambda doesn't have a GPU anyway. tensorflow-cpu boto3 </code></pre> </div> <h2> Deployment </h2> <p>We can run <code>cdk deploy</code> and our infrastructure will get autmatically deployed. Any files in the folder <code>model_files</code> will get uploaded to the s3 bucket we created. The Lambda function will be bundled using Docker and saved to <code>ECR</code>.</p> <h2> Testing &amp; Querying the Lambda function </h2> <p>Testing will depend on your model. I hope I have given you enough of an outline to get started. To send data to your newly deployed lambda function, you can find the Function URL either in the outputs after CDK has finished deploying or on the AWS Lambda console.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4a6wherfzycv824sodwz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4a6wherfzycv824sodwz.png" alt="Lambda console"></a></p> <p>The data shown below is "hello!" - for you it could be anything. My models would receive a list of values, for instance.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykcvps11gilwa22jlpkt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykcvps11gilwa22jlpkt.png" alt="Query function URL"></a></p> <p>Once you’re finished make sure to <code>cdk destroy</code> to avoid any charges!</p> <p>I hope this article has given you a good start to deploying your neural network or other machine learning algorithm with Lambda.</p> tensorflow aws cdk machinelearning Lambda function with persistent file store using AWS CDK and AWS EFS Wesley Cheek Thu, 21 Apr 2022 04:09:01 +0000 https://dev.to/wesleycheek/lambda-function-with-persistent-file-store-using-aws-cdk-and-aws-efs-45h8 https://dev.to/wesleycheek/lambda-function-with-persistent-file-store-using-aws-cdk-and-aws-efs-45h8 <p>Have you ever wanted Lambda functions to be able to save and load files locally without needing to transfer data between an S3 bucket? This article is for you.</p> <p>By using <code>AWS EFS</code> we can <a href="https://aws.amazon.com/blogs/compute/using-amazon-efs-for-aws-lambda-in-your-serverless-applications/" rel="noopener noreferrer">attach a persistent filesystem</a> to your Lambda function!</p> <p><a href="https://github.com/wcheek/CDK_Lambda_EFS" rel="noopener noreferrer">GitHub Repository</a></p> <h2> CDK init &amp; deploy </h2> <p>I won’t cover setting up CDK and bootstrapping the environment. You can find that information <a href="https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html" rel="noopener noreferrer">here.</a></p> <p>Once you have set up CDK, we need to set up the project:</p> <ol> <li><p><code>mkdir cdk_docker_lambda &amp;&amp; cd cdk_docker_lambda</code></p></li> <li><p><code>cdk init --language python</code></p></li> <li><p><code>source .venv/bin/activate</code></p></li> <li> <p><code>pip install -r requirements.txt &amp;&amp; pip install -r requirements-dev.txt</code></p> <p>Now deploy empty stack to AWS:</p> </li> <li><p><code>cdk deploy</code></p></li> </ol> <h2> Stack design </h2> <p>Our CDK stack is going to deploy an <code>EFS</code> filesystem, a Lambda function, and an access point which will allow us to attach the filesystem to the function.</p> <h3> cdk_lambda_efs/cdk_lambda_efs_stack.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">Stack</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_ec2</span> <span class="k">as</span> <span class="n">ec2</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_efs</span> <span class="k">as</span> <span class="n">efs</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">_lambda</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">RemovalPolicy</span> <span class="k">class</span> <span class="nc">CdkLambdaEfsStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># I like to define all my pieces in __init__ </span> <span class="n">self</span><span class="p">.</span><span class="n">vpc</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">access_point</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">lambda_func</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_infrastructure</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_infrastructure</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_vpc</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_filesystem</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_lambda_func</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_vpc</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># Build the VPC where both EFS and Lambda will sit </span> <span class="n">self</span><span class="p">.</span><span class="n">vpc</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">VPC</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">build_filesystem</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">file_system</span> <span class="o">=</span> <span class="n">efs</span><span class="p">.</span><span class="nc">FileSystem</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">Efs</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">file_system_name</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleLambdaAttachedEFS</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Makes sure to delete EFS when stack goes down </span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># create a new access point from the filesystem </span> <span class="n">self</span><span class="p">.</span><span class="n">access_point</span> <span class="o">=</span> <span class="n">file_system</span><span class="p">.</span><span class="nf">add_access_point</span><span class="p">(</span> <span class="sh">"</span><span class="s">AccessPoint</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># set /export/lambda as the root of the access point </span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">/export/lambda</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># as /export/lambda does not exist in a new efs filesystem, the efs will create the directory with the following createAcl </span> <span class="n">create_acl</span><span class="o">=</span><span class="n">efs</span><span class="p">.</span><span class="nc">Acl</span><span class="p">(</span> <span class="n">owner_uid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">,</span> <span class="n">owner_gid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">,</span> <span class="n">permissions</span><span class="o">=</span><span class="sh">"</span><span class="s">750</span><span class="sh">"</span> <span class="p">),</span> <span class="c1"># enforce the POSIX identity so lambda function will access with this identity </span> <span class="n">posix_user</span><span class="o">=</span><span class="n">efs</span><span class="p">.</span><span class="nc">PosixUser</span><span class="p">(</span><span class="n">uid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">,</span> <span class="n">gid</span><span class="o">=</span><span class="sh">"</span><span class="s">1001</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">build_lambda_func</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># I'm just using the normal CDK lambda function here. See my other articles for additional building methods. </span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">LambdaWithEFS</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_9</span><span class="p">,</span> <span class="c1"># lambda function file name.handler function </span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_EFS.handler</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Points to directory of lambda function </span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="sh">"</span><span class="s">cdk_lambda_efs/lambda_EFS</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># Lambda needs to be in same VPC as EFS </span> <span class="n">vpc</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">vpc</span><span class="p">,</span> <span class="n">filesystem</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">FileSystem</span><span class="p">.</span><span class="nf">from_efs_access_point</span><span class="p">(</span> <span class="n">ap</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">access_point</span><span class="p">,</span> <span class="n">mount_path</span><span class="o">=</span><span class="sh">"</span><span class="s">/mnt/filesystem</span><span class="sh">"</span> <span class="p">)</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">access_point</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h2> Lambda function </h2> <p>I will deploy a lambda function without any additional dependencies. If you need dependencies, you will need to use different <code>CDK</code> constructs to do it. <a href="https://dev.to/wesleycheek/deploy-an-api-fronted-lambda-function-using-aws-cdk-2nch">Here is an example of using aws_lambda_python_alpha</a> and <a href="https://dev.to/wesleycheek/deploy-a-docker-built-lambda-function-with-aws-cdk-fio">here is an example of building using Docker</a>.</p> <p>This lambda function opens a file on the <code>EFS</code> filesystem, writes a string to it, then opens it again and returns the result.</p> <h3> cdk_lambda_efs/lambda_EFS/lambda_EFS.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># Writing to a file on the EFS filesystem </span> <span class="n">path</span> <span class="o">=</span> <span class="nc">Path</span><span class="p">(</span><span class="sh">"</span><span class="s">/mnt/filesystem/test.txt</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="n">path</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sh">"</span><span class="s">Test123</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Now open the file, read the text, return </span> <span class="k">with</span> <span class="n">path</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">text</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello Lambda! </span><span class="si">{</span><span class="n">text</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <h2> Test the lambda function with attached filesystem </h2> <p>Navigate to the Lambda console on AWS. First notice the filesystem has been successfully attached to your lambda function</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgv2pbt26yb17vs7d48dh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgv2pbt26yb17vs7d48dh.png" alt="Showing attached file system"></a></p> <p>Now go ahead and test it using any kind of event.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1hkoivb730y9wwmw816p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1hkoivb730y9wwmw816p.png" alt="Testing lambda"></a></p> <p>I hope this article has helped you to solve your problem of lambda not persisting data. EFS is an easy to use and versatile solution to memory problems.</p> <p>Make sure to <code>cdk destroy</code> when you're done to avoid any charges.</p> aws cloud cdk lambda Deploy a Docker built Lambda function with AWS CDK Wesley Cheek Thu, 21 Apr 2022 02:04:54 +0000 https://dev.to/wesleycheek/deploy-a-docker-built-lambda-function-with-aws-cdk-fio https://dev.to/wesleycheek/deploy-a-docker-built-lambda-function-with-aws-cdk-fio <p>This project is a minimum working example of deploying an AWS Lambda function using Docker and AWS CDK.</p> <p>Deploying Lambda functions using Docker has a number of benefits</p> <ul> <li>Package all necessary libraries into a single Docker image</li> <li>Bypass AWS Lambda's size constraint of 512 mb. Docker images stored on AWS ECR have a maximum size of 10 gb. I will show you how to deploy <code>Tensorflow</code> models in another post!</li> <li>It’s easy!</li> </ul> <p><a href="https://github.com/wcheek/CDK_Docker_Lambda" rel="noopener noreferrer">GitHub Repository</a></p> <h2> CDK init &amp; deploy </h2> <p>I won’t cover setting up CDK and bootstrapping the environment. You can find that information <a href="https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html" rel="noopener noreferrer">here.</a></p> <p>Once you have set up CDK, we need to set up the project:</p> <ol> <li><p><code>mkdir cdk_docker_lambda &amp;&amp; cd cdk_docker_lambda</code></p></li> <li><p><code>cdk init --language python</code></p></li> <li><p><code>source .venv/bin/activate</code></p></li> <li> <p><code>pip install -r requirements.txt &amp;&amp; pip install -r requirements-dev.txt</code></p> <p>Now deploy empty stack to AWS:</p> </li> <li><p><code>cdk deploy</code></p></li> </ol> <h2> Stack design </h2> <p>Our stack will deploy only a lambda function. The lambda function will be built using <code>Docker</code>, so be sure to have <code>Docker</code> installed and the <code>Docker</code> daemon running.</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># cdk_docker_lambda/cdk_docker_lambda_stack.py </span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">Stack</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">_lambda</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">CdkDockerLambdaStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_lambda_func</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_lambda_func</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">prediction_lambda</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">DockerImageFunction</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleDockerLambda</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Function name on AWS </span> <span class="n">function_name</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleDockerLambda</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Use aws_cdk.aws_lambda.DockerImageCode.from_image_asset to build </span> <span class="c1"># a docker image on deployment </span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">DockerImageCode</span><span class="p">.</span><span class="nf">from_image_asset</span><span class="p">(</span> <span class="c1"># Directory relative to where you execute cdk deploy </span> <span class="c1"># contains a Dockerfile with build instructions </span> <span class="n">directory</span><span class="o">=</span><span class="sh">"</span><span class="s">cdk_docker_lambda/ExampleDockerLambda</span><span class="sh">"</span> <span class="p">),</span> <span class="p">)</span> </code></pre> </div> <h2> Lambda function </h2> <p>Create a new directory in <code>cdk_docker_lambda</code> called <code>ExampleDockerLambda</code>. Here we are going to put a <code>Dockerfile</code>, <code>requirements.txt</code> which holds our function’s dependencies, and the lambda function itself, <code>example_docker_lambda.py</code></p> <h3> cdk_docker_lambda/ExampleDockerLambda/Dockerfile </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code> <span class="k">FROM</span><span class="s"> amazon/aws-lambda-python:latest</span> <span class="k">LABEL</span><span class="s"> maintainer="Wesley Cheek"</span> <span class="c"># Installs python, removes cache file to make things smaller</span> <span class="k">RUN </span>yum update <span class="nt">-y</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span> yum <span class="nb">install</span> <span class="nt">-y</span> python3 python3-dev python3-pip gcc <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-Rf</span> /var/cache/yum <span class="c"># Copies requirements.txt file into the container</span> <span class="k">COPY</span><span class="s"> requirements.txt ./</span> <span class="c"># Installs dependencies found in your requirements.txt file</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="c"># Be sure to copy over the function itself!</span> <span class="c"># Goes last to take advantage of Docker caching.</span> <span class="k">COPY</span><span class="s"> example_docker_lambda.py ./</span> <span class="c"># Points to the handler function of your lambda function</span> <span class="k">CMD</span><span class="s"> ["example_docker_lambda.handler"]</span> </code></pre> </div> <h3> cdk_docker_lambda/ExampleDockerLambda/requirements.txt </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> requests </code></pre> </div> <h3> cdk_docker_lambda/ExampleDockerLambda/example_docker_lambda.py </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># Very simple </span> <span class="kn">import</span> <span class="n">requests</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Hello Lambda!</span><span class="sh">"</span> </code></pre> </div> <p>Now <code>cdk deploy</code>. <code>AWS CDK</code> will build your new Lambda function using <code>Docker</code> and then push it for you to the <code>ECR</code> repository that was originally created for you by running <code>cdk bootstrap</code> during the CDK setup. How convenient. </p> <p>After the image is built and pushed, CDK will deploy the necessary infrastructure. You can navigate to the <code>AWS CloudFormation</code> console to view the deployment. It should only take a couple minutes. </p> <p>Once finished, you will find your beautiful <code>Docker</code> deployed Lambda function on the Lambda console</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F83zwh85t6rpq1v5ykdzi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F83zwh85t6rpq1v5ykdzi.png" alt="Lambda console showing new function"></a></p> <h3> Test your Lambda function </h3> <p>We can use any kind of event since the function always just returns a string.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftmt8x65ectamwjpha6n5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftmt8x65ectamwjpha6n5.png" alt="Successful test of new lambda function"></a></p> <p>Have fun easily deploying any sized Lambda you’d like using <code>AWS CDK</code> and <code>Docker</code>! Make sure to <code>cdk destroy</code> when you're done to avoid any charges.</p> aws docker cdk lambda AWS Lambda Function URLs with AWS CDK Wesley Cheek Tue, 19 Apr 2022 07:52:33 +0000 https://dev.to/wesleycheek/aws-lambda-function-urls-with-aws-cdk-58ih https://dev.to/wesleycheek/aws-lambda-function-urls-with-aws-cdk-58ih <p><strong>NOTE</strong><br> Since I wrote this post, the CDK has <a href="https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_lambda/FunctionUrl.html" rel="noopener noreferrer">released an API to do this</a>, so it's no longer necessary to use custom resources like I detail below.</p> <p>For the lazy:</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="c1"># Can be a Function or an Alias # fn: lambda.Function # my_role: iam.Role </span> <span class="n">fn_url</span> <span class="o">=</span> <span class="n">fn</span><span class="p">.</span><span class="nf">add_function_url</span><span class="p">()</span> <span class="n">fn_url</span><span class="p">.</span><span class="nf">grant_invoke_url</span><span class="p">(</span><span class="n">my_role</span><span class="p">)</span> <span class="nc">CfnOutput</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">TheUrl</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># The .url attributes will return the unique Function URL </span> <span class="n">value</span><span class="o">=</span><span class="n">fn_url</span><span class="p">.</span><span class="n">url</span> <span class="p">)</span> </code></pre> </div> <p>AWS recently released a great new feature for Lambda: <a href="https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/" rel="noopener noreferrer">AWS Lambda Function URLs</a></p> <p>Function URLs promise to replace the <a href="https://dev.to/wesleycheek/deploy-an-api-fronted-lambda-function-using-aws-cdk-2nch">API Gateway Lambda Proxy</a> pattern as they allow a simpler way to do <code>HTTP GET</code> operations on your Lambda functions. They also don't suffer from the API gateway timeout problem of 30 sec.</p> <p>The <a href="https://github.com/wcheek/CDK_Lambda_function_URL" rel="noopener noreferrer">Github repository can be found here.</a></p> <h2> CDK init &amp; deploy </h2> <p>I won’t cover setting up CDK and bootstrapping the environment. You can find that information <a href="https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html" rel="noopener noreferrer">here.</a></p> <p>Once you have set up CDK, we need to set up the project:</p> <ol> <li><p><code>mkdir CDK_Lambda_URL &amp;&amp; cd CDK_Lambda_URL</code></p></li> <li><p><code>cdk init --language python</code></p></li> <li><p><code>source .venv/bin/activate</code></p></li> <li><p>Optional: If you need additional libraries in your Lambda function, add <code>aws-cdk.aws-lambda-python-alpha</code> to requirements.txt to allow custom builds during stack deployment using Docker.</p></li> <li> <p><code>pip install -r requirements.txt &amp;&amp; pip install -r requirements-dev.txt</code></p> <p>Now deploy empty stack to AWS:</p> </li> <li><p><code>cdk deploy</code></p></li> </ol> <h2> Stack design </h2> <p>This stack will deploy a lambda function using <code>aws-lambda-python-alpha</code> to build the function with all its additional libraries using a docker container. Make sure to have Docker installed and the daemon running before running <code>cdk deploy</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">CfnResource</span><span class="p">,</span> <span class="n">Stack</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">_lambda</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_lambda_python_alpha</span> <span class="k">as</span> <span class="n">_lambda_python</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">LambdaStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># in __init__ I like to initialize the infrastructure I will be creating </span> <span class="n">self</span><span class="p">.</span><span class="n">example_lambda</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="nf">build_infrastructure</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_infrastructure</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># For convenience, consolidate infrastructure construction </span> <span class="n">self</span><span class="p">.</span><span class="nf">build_lambda</span><span class="p">()</span> <span class="k">def</span> <span class="nf">build_lambda</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">example_lambda</span> <span class="o">=</span> <span class="n">_lambda_python</span><span class="p">.</span><span class="nc">PythonFunction</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleLambda</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># entry points to the directory </span> <span class="n">entry</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_funcs/LambdaURL</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># index is the file name </span> <span class="n">index</span><span class="o">=</span><span class="sh">"</span><span class="s">URL_lambda.py</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># handler is the function entry point name in the lambda.py file </span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_9</span><span class="p">,</span> <span class="c1"># name of function on AWS </span> <span class="n">function_name</span><span class="o">=</span><span class="sh">"</span><span class="s">ExampleLambdaFunctionURL</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Set up the Lambda Function URL </span> <span class="n">cfnFuncUrl</span> <span class="o">=</span> <span class="nc">CfnResource</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">lambdaFuncUrl</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS::Lambda::Url</span><span class="sh">"</span><span class="p">,</span> <span class="n">properties</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">TargetFunctionArn</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">example_lambda</span><span class="p">.</span><span class="n">function_arn</span><span class="p">,</span> <span class="sh">"</span><span class="s">AuthType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">NONE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cors</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">AllowOrigins</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">]},</span> <span class="p">},</span> <span class="p">)</span> <span class="c1"># Give everyone permission to invoke the Function URL </span> <span class="nc">CfnResource</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">funcURLPermission</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS::Lambda::Permission</span><span class="sh">"</span><span class="p">,</span> <span class="n">properties</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">FunctionName</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">example_lambda</span><span class="p">.</span><span class="n">function_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">Principal</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">lambda:InvokeFunctionUrl</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">FunctionUrlAuthType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">NONE</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">)</span> <span class="c1"># Get the Function URL as output </span> <span class="nc">Output</span><span class="p">(</span> <span class="n">scope</span><span class="o">=</span><span class="n">self</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="sh">"</span><span class="s">funcURLOutput</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">cfnFuncUrl</span><span class="p">.</span><span class="nf">get_att</span><span class="p">(</span><span class="n">attribute_name</span><span class="o">=</span><span class="sh">"</span><span class="s">FunctionUrl</span><span class="sh">"</span><span class="p">).</span><span class="nf">to_string</span><span class="p">(),</span> <span class="p">)</span> </code></pre> </div> <h2> Minimum Working Lambda Function </h2> <p>You can see <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html" rel="noopener noreferrer">here</a> an example of the response format the API gateway is expecting.</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">from</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">getLogger</span> <span class="n">logger</span> <span class="o">=</span> <span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">level</span><span class="o">=</span><span class="sh">"</span><span class="s">DEBUG</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="n">msg</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">Initial event: </span><span class="si">{</span><span class="n">event</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">isBase64Encoded</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Nice! You said </span><span class="si">{</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">queryStringParameters</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">q</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>Now you can do <code>cdk deploy</code>. The lambda function will be built using docker and uploaded to the bootstrapped ECR repository. Once the project is built, it will synth a <code>CloudFormation</code> template and begin deploying the infrastructure. You can watch your stack deploy on <code>AWS CloudFormation</code> - it should be quick since the infrastructure is relatively simple.</p> <p>You can use the URL output by the stack or else navigate to your Lambda function on the <code>AWS Console</code> to find your <code>Lambda Function URL</code></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhie2nhnaqtj9pw0kinvp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhie2nhnaqtj9pw0kinvp.png" alt="Image showing stack output"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx9r19qatri1isgn7yxh7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx9r19qatri1isgn7yxh7.png" alt="Image showing function URL on AWS Console"></a></p> <h2> Query the Function URL </h2> <p>To query the <code>Function URL</code> and get a response back from your lambda function, just send a <code>GET</code> request using <code>requests</code> or <code>Postman</code></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo8v1kjbq5sil38ioqh3c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo8v1kjbq5sil38ioqh3c.png" alt="Image showing query"></a></p> <p>That's all! Make sure to <code>cdk destroy</code> when you're done to avoid any charges.</p> aws lambda cdk endpoint