├── .eslintignore
├── .eslintrc
├── .gitignore
├── .nvmrc
├── .terraform-version
├── .travis.yml
├── LEARNING.md
├── LICENSE.txt
├── README.md
├── aws-lambda-serverless-reference-Hero.png
├── aws
    └── bootstrap.yml
├── layers
    ├── repeat
    │   └── repeat
    │   │   └── index.js
    └── vendor
    │   └── nodejs
    │       ├── package.json
    │       └── yarn.lock
├── package.json
├── serverless.yml
├── src
    └── server
    │   ├── base.js
    │   ├── layers.js
    │   └── xray.js
├── terraform
    ├── main.tf
    ├── role-ci.tf
    ├── scripts
    │   └── dev.js
    ├── variables.tf
    └── versions.tf
└── yarn.lock


/.eslintignore:
--------------------------------------------------------------------------------
1 | node_modules
2 | 


--------------------------------------------------------------------------------
/.eslintrc:
--------------------------------------------------------------------------------
1 | ---
2 | extends:
3 |   - formidable/configurations/es6-node
4 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | .git
 2 | 
 3 | .DS_Store
 4 | .project
 5 | .vscode
 6 | node_modules
 7 | npm-debug.log*
 8 | yarn-error.log*
 9 | package-lock.json
10 | 
11 | aws/.service*
12 | 
13 | .serverless
14 | .terraform
15 | _warmup
16 | 


--------------------------------------------------------------------------------
/.nvmrc:
--------------------------------------------------------------------------------
1 | 12.14.0


--------------------------------------------------------------------------------
/.terraform-version:
--------------------------------------------------------------------------------
1 | 0.12.18
2 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | language: node_js
 2 | 
 3 | node_js:
 4 |   - "12"
 5 | 
 6 | branches:
 7 |   only:
 8 |     - master
 9 | 
10 | env:
11 |   global:
12 |     - TF_VERSION=0.12.18
13 | 
14 | before_install:
15 |   - wget https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip -O /tmp/terraform.zip
16 |   - sudo unzip -d /usr/local/bin/ /tmp/terraform.zip
17 | 
18 | install:
19 |   # Fail if lockfile outdated.
20 |   # https://yarnpkg.com/lang/en/docs/cli/install/#toc-yarn-install-frozen-lockfile
21 |   - yarn install --frozen-lockfile
22 | 
23 | script:
24 |   - yarn --version
25 |   - yarn run check:ci
26 | 


--------------------------------------------------------------------------------
/LEARNING.md:
--------------------------------------------------------------------------------
  1 | Learning 🎓
  2 | ==========
  3 | 
  4 | This project's primary audience is experienced cloud infrastructure folks looking to production-ize a modern Serverless stack in a single AWS account. But, it's also an appropriate place to learn the various parts along the way!
  5 | 
  6 | ## Contents
  7 | 
  8 | <!-- START doctoc generated TOC please keep comment here to allow auto update -->
  9 | <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 10 | 
 11 | 
 12 | - [Projects](#projects)
 13 | - [Getting Started](#getting-started)
 14 | - [Exercises](#exercises)
 15 |   - [Environments](#environments)
 16 |   - [Lambda Exercises](#lambda-exercises)
 17 |   - [Infrastructure Exercises](#infrastructure-exercises)
 18 | 
 19 | <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 20 | 
 21 | ## Projects
 22 | 
 23 | We have **three** main reference projects from which to learn:
 24 | 
 25 | * [aws-lambda-serverless-reference](https://github.com/FormidableLabs/aws-lambda-serverless-reference): (**This project!**) Our most basic Serverless reference with a full production infrastructure.
 26 | * [aws-lambda-dogs](https://github.com/FormidableLabs/aws-lambda-dogs): A simple REST API Serverless reference using [json-server](https://github.com/typicode/json-server). If you don't need VPC or are unsure of where to begin, start here.
 27 | * [badges](https://github.com/FormidableLabs/badges): Our advanced reference project that includes more complex enhancements like: per-PR environments, github-flow support, promote-to-production artifacts, etc. Once you've mastered manual CF + TF + SLS deploys, come over here and see how far automation can take us!
 28 | 
 29 | ## Getting Started
 30 | 
 31 | 1. (_For Formidables only_). Contact Roemer to get three AWS IAM users. The `-developer` and `-admin` users will be manually attached to the appropriate `sandbox` stage groups (`tf-simple-reference-sandbox-developer`, `tf-simple-reference-sandbox-admin`) for use with `serverless` commands.
 32 |     1. `FIRST.LAST` user: An AWS superadmin that can do things like deploy the bootstrap CloudFormation and service Terraform infrastructures. This user reflects a DevOps lead in a client project. Should only be used for `yarn cf:*` and `yarn tf:*` commands.
 33 |     2. `FIRST.LAST-developer` user: A user with IAM group permissions for the specific serverless project + `STAGE` to update an existing deployment. This reflects an engineer on a client project with limited privileges or maybe a CI system for staging or whatnot. Should only be used for `yarn lambda:*` commands.
 34 |     3. `FIRST.LAST-admin` user: A user with IAM group permissions for the specific serverless project + `STAGE` to update + create/delete any deployment. This reflects an engineer on a client project with full privileges over the serverless application, but not the supporting cloud infrastructure. Should only be used for `yarn lambda:*` commands.
 35 | 
 36 | 2. Then, follow all the basic directions for installation in the [README](./README.md).
 37 |     1. (_For Formidables only_). Please set up `aws-vault` per the instructions for your authentication method.
 38 | 
 39 | 3. Check that your credentials are set up for all appropriate work:
 40 | 
 41 |     ```sh
 42 |     # 1. Check CloudFormation as superadmin
 43 |     $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- \
 44 |       yarn cf:bootstrap:status
 45 |     ...
 46 |     "UPDATE_COMPLETE" # (or some other status)
 47 | 
 48 |     # 2. Check Terraform as superadmin
 49 |     # 2.a. Init to appropriate stage backend.
 50 |     $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- \
 51 |       yarn tf:service:init --reconfigure
 52 |     ...
 53 |     Terraform has been successfully initialized!
 54 | 
 55 |     # 2.b. Run plan to see any changes from our code vs. actual infrastructure.
 56 |     $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- \
 57 |       yarn tf:service:plan
 58 |     ...
 59 |     No changes. Infrastructure is up-to-date.
 60 | 
 61 |     # 3. Check Serverless as `-developer`
 62 |     $ STAGE=sandbox aws-vault exec FIRST.LAST-developer --no-session -- \
 63 |       yarn lambda:info
 64 |     ...
 65 |     Service Information
 66 |     service: sls-simple-reference
 67 |     stage: sandbox
 68 |     region: us-east-1
 69 |     stack: sls-simple-reference-sandbox
 70 |     ...
 71 |     ```
 72 | 
 73 | ## Exercises
 74 | 
 75 | ### Environments
 76 | 
 77 | > `tl:dr`: use `sandbox` and only do `yarn lambda:*` commands for intro exercises.
 78 | 
 79 | **Lambda**
 80 | 
 81 | All of the introductory exercises are performed in the pre-existing `sandbox` environment using only `yarn lambda:*` commands to do serverless deployments as an `-admin` or `-developer` user. This means that you should just let folks know in an appropriate channel that you are "taking over" the environment.
 82 | 
 83 | **Infrastructure** (_CloudFormation + Terraform_)
 84 | 
 85 | Your superadmin user should be reserved only for work on _new_ environments. If you choose to do a new environment, it is _very important_ that you talk to Tyler or Roemer and refactor this application to grep and comment out all sections titled `OPTION` in `serverless.yml` and `terraform/main.tf` to remove all the extra bells and whistles (particularly VPC which is slow and complicates things) in a temporary branch to make your infrastructure work much easier and more focused.
 86 | 
 87 | ### Lambda Exercises
 88 | 
 89 | 1. Completely review and read the `README.md` one more time and ask questions in a slack channel!
 90 | 
 91 | 1. Do a deployment of the serverless branch as-is off `master` branch:
 92 | 
 93 |     ```sh
 94 |     $ STAGE=sandbox aws-vault exec FIRST.LAST-developer --no-session -- \
 95 |       yarn lambda:deploy
 96 |     ```
 97 | 
 98 |     ... then go and kick the tires on a URL!
 99 | 
100 |     The endpoints created will be listed under `endpoints` in the console output.  Please note that the endpoints MUST end with `/`.  If the output is `https://ii178wi5hi.execute-api.us-east-1.amazonaws.com/sandbox/base`, then you must use `https://ii178wi5hi.execute-api.us-east-1.amazonaws.com/sandbox/base/` (notice the trailing `/`) in your browser.
101 | 
102 | 1. Delete the serverless application and re-deploy it as-is off `master` branch:
103 | 
104 |     ```sh
105 |     # Be careful!
106 |     $ STAGE=sandbox aws-vault exec FIRST.LAST-admin --no-session -- \
107 |       yarn lambda:_delete
108 | 
109 |     # Now, the `lambda:deploy` command needs an `-admin` user to create.
110 |     $ STAGE=sandbox aws-vault exec FIRST.LAST-admin --no-session -- \
111 |       yarn lambda:deploy
112 |     ```
113 | 
114 | 1. Create a temporary branch and edit something in `src/server/base.js` that will be visible from a public URL. Then deploy it and check the results!
115 | 
116 |     ```sh
117 |     $ STAGE=sandbox aws-vault exec FIRST.LAST-developer --no-session -- \
118 |       yarn lambda:deploy
119 |     ```
120 | 
121 | 1. See if there are any [open issues](https://github.com/FormidableLabs/aws-lambda-serverless-reference/issues) that need just a serverless / application code fix and try to open a pull request! Or, be a saint and update all the root project dependencies in `package.json` to keep us up to date, verify everything still works, and open a pull request.
122 | 
123 | ### Infrastructure Exercises
124 | 
125 | Once you've got the basics of serverless deployment down, you can head over to [aws-lambda-dogs Infrastructure Exercises](https://github.com/FormidableLabs/aws-lambda-dogs/blob/master/LEARNING.md#infrastructure-exercises) to do things with your AWS superadmin user to the infrastructure (without having to deal with a VPC).
126 | 
127 | 


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2019 Formidable Labs
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | [![AWS Lambda Serverless Reference — Formidable, We build the modern web](https://raw.githubusercontent.com/FormidableLabs/aws-lambda-serverless-reference/master/aws-lambda-serverless-reference-Hero.png)](https://formidable.com/open-source/)
  2 | 
  3 | [![Travis Status][trav_img]][trav_site]
  4 | [![Maintenance Status][maintenance-image]](#maintenance-status)
  5 | 
  6 | A simple "hello world" reference app for the [`FormidableLabs/serverless/aws`][FormidableLabs/serverless/aws] Terraform module, using the [serverless][] framework targeting an AWS Lambda deploy.
  7 | 
  8 | ## Contents
  9 | 
 10 | <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 11 | <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 12 | 
 13 | 
 14 | - [Overview](#overview)
 15 |   - [Audience](#audience)
 16 |   - [Stack](#stack)
 17 |   - [Naming](#naming)
 18 |   - [Stages](#stages)
 19 |   - [Environment Variables](#environment-variables)
 20 |   - [User Roles](#user-roles)
 21 | - [Installation](#installation)
 22 |   - [Node.js (Runtime)](#nodejs-runtime)
 23 |   - [AWS (Deployment)](#aws-deployment)
 24 |     - [AWS Tools](#aws-tools)
 25 |     - [Terraform](#terraform)
 26 |     - [AWS Credentials](#aws-credentials)
 27 |       - [In Environment](#in-environment)
 28 |       - [Saved to Local Disk](#saved-to-local-disk)
 29 |       - [AWS Vault](#aws-vault)
 30 | - [Development](#development)
 31 |   - [Node.js](#nodejs)
 32 |   - [Lambda Offline](#lambda-offline)
 33 | - [Support Stack Provisioning (Superuser)](#support-stack-provisioning-superuser)
 34 |   - [Bootstrap Stack](#bootstrap-stack)
 35 |   - [Service Stack](#service-stack)
 36 | - [Serverless Deployment (IAM Roles)](#serverless-deployment-iam-roles)
 37 |   - [Admin Deployment](#admin-deployment)
 38 |   - [User Deployment](#user-deployment)
 39 | - [`terraform-aws-serverless` Development](#terraform-aws-serverless-development)
 40 | 
 41 | <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 42 | 
 43 | ## Overview
 44 | 
 45 | Getting a `serverless` application into the cloud "the right way" can be a challenge. To this end, we start with a super-simple, "hello world" Express app targeting AWS Lambda using serverless. Along the way, this reference project takes care of all of the **tough** supporting pieces that go into a production-ready, best-practices-following cloud infrastructure like:
 46 | 
 47 | - Local development workflows.
 48 | - Terraform stack controlling IAM permissions and cloud resources to support a vanilla `serverless` application.
 49 | - Remote state management for Terraform.
 50 | - Serverless application deployment and production lifecycle management.
 51 | 
 52 | Using this project as a template, you can hopefully take a new `serverless` application and set up "everything else" to support it in AWS the right way, from the start.
 53 | 
 54 | A great starting point is our [introduction blog post](https://formidable.com/blog/2019/locking-down-aws-serverless-applications-the-right-way/) that explains existing privilege approaches, motivations for this project, and some quick example infrastructures.
 55 | 
 56 | ### Audience
 57 | 
 58 | This reference application is meant for developers / architects who are already familiar with AWS infrastructures (and CloudFormation), Terraform, and Serverless framework applications. This project will hopefully provide some guidance / examples to get the whole shebang all the way to a multi-environment deployment and support a team of administrators and engineers for the application.
 59 | 
 60 | For folks (particularly [Formidables](https://formidable.com/)) interested in learning more about how we construct our production cloud infrastructures, head over to our [learning page](./LEARNING.md).
 61 | 
 62 | ### Stack
 63 | 
 64 | We use very simple, very common tools to allow a mostly vanilla Express server to run in localdev / Docker like a normal Node.js HTTP server and _also_ as a Lambda function exposed via API Gateway.
 65 | 
 66 | Tech stack:
 67 | 
 68 | * [`express`](serverless-http): A server.
 69 | 
 70 | Infrastructure stack:
 71 | 
 72 | * [serverless][]: Build / deployment framework for getting code to Lambda.
 73 | * [serverless-http][]: Bridge to make a vanilla Express server run on Lambda.
 74 | 
 75 | Infrastructure tools:
 76 | 
 77 | * AWS [CloudFormation][]: Create AWS cloud resources using YAML. The `serverless` framework creates a CloudFormation stack of Lambda-supporting resources as part of a normal deployment. This project also uses a small CloudFormation stack to bootstrap an S3 bucket and DynamoDB to handle Terraform state.
 78 | * HashiCorp [Terraform][]: Create AWS cloud resources using [HCL][]. Typically more flexible and expressive than CloudFormation. We have a simple Terraform stack that uses the [`FormidableLabs/serverless/aws`][FormidableLabs/serverless/aws] module to set up a production-ready set of resources (IAM, monitoring, etc.) to support the resources/stack generated by `serverless`.
 79 | 
 80 | ### Naming
 81 | 
 82 | We use a naming convention in cloud resources and `yarn` tasks to separate some various high level things:
 83 | 
 84 | * `cf`: AWS CloudFormation specific names.
 85 | * `tf`: Terraform specific names.
 86 | * `sls`: Serverless framework names.
 87 | 
 88 | ### Stages
 89 | 
 90 | Development hits a local machine, and when programmatically named, is usually referred to as:
 91 | 
 92 | * `localdev`: A development-only setup running on a local machine.
 93 | 
 94 | We target four different stages/environments of AWS hosted deployments:
 95 | 
 96 | * `sandbox`: A loose environment where developers can manually push / check things / break things with impunity. Typically deployed from developer laptops.
 97 | * `development`: Tracks feature development branches. Typically deployed by CI on merges to `develop` branch if using git flow workflow.
 98 | * `staging`: A near-production environment to validate changes before committing to actual production. Typically deployed by CI for release candidate branches before merging to `master`.
 99 | * `production`: The real deal. Typically deployed by CI after a merge to `master`.
100 | 
101 | Note that these are completely arbitrary groups, both in composition and naming. There a sensible set of groups if you need just some starting point. But the final group (or even one if you want) is totally up to you!
102 | 
103 | All of our `yarn run <task>` tasks should be run with a `STAGE=<value>` prefix. The default is to assume `STAGE=localdev` and only commands like `yarn run node:localdev` or `yarn run lambda:localdev` can run without specification successfully. For commands actually targeting AWS, please prefix like:
104 | 
105 | ```sh
106 | $ STAGE=sandbox yarn run <task>
107 | $ STAGE=development yarn run <task>
108 | $ STAGE=stage yarn run <task>
109 | $ STAGE=production yarn run <task>
110 | ```
111 | 
112 | _Note_: We separate the `STAGE` variable from `NODE_ENV` because often there are build implications of `NODE_ENV` that are distinct from our notion of deploy target environments.
113 | 
114 | ### Environment Variables
115 | 
116 | Our task runner scheme is a bash + `yarn` based system crafted around the following environment variables (with defaults):
117 | 
118 | * `STAGE`: `localdev`
119 | * `SERVICE_NAME`: `simple-reference` (The name of the application/service in the cloud.)
120 | * `AWS_REGION`: `us-east-1`
121 | 
122 | ... and some minor localdev only ones:
123 | 
124 | * `AWS_XRAY_CONTEXT_MISSING`: `LOG_ERROR` (Have Xray not error in localdev)
125 | * `SERVER_PORT`: `3000`
126 | * `SERVER_HOST`: `0.0.0.0`
127 | 
128 | ... and some implied ones:
129 | 
130 | * `FUNCTION_NAME`: The name of a given Lambda function. In this project, the main one is `server`.
131 | 
132 | If your project supports Windows, you will want to have a more general / permissive approach.
133 | 
134 | ### User Roles
135 | 
136 | We rely on IAM roles to limit privileges to the minimum necessary to provision, update, and deploy the service. Typically this involves creating personalized users in the AWS console, and then assigning them groups for varying appropriate degrees of privilege. Here are the relevant ones for this reference project:
137 | 
138 | * **Superuser - Support Stack**: A privileged user that can create the initial bootstrap CloudFormation stack and Terraform service module that will support a Serverless application. It should not be used for Serverless deploys.
139 | * **IAM Groups - Serverless App**: The [`FormidableLabs/serverless/aws`][FormidableLabs/serverless/aws] module provides IAM groups and support for different types of users to create/update/delete the Serverless application. The IAM groups created are:
140 |     * `tf-${SERVICE_NAME}-${STAGE}-admin`: Can create/delete/update the Severless app.
141 |     * `tf-${SERVICE_NAME}-${STAGE}-developer`: Can deploy the Severless app.
142 |     * `tf-${SERVICE_NAME}-${STAGE}-ci`: Can deploy the Severless app.
143 | 
144 | > ℹ️ **Note**: Our cloud infrastructure is based on an approach of a single shared AWS account (with many limited IAM users). A more secure and differently complex option is to use _separate_ AWS accounts for different stages/environments for infrastructures/applications. We discuss these approaches more in our [introductory blog post](https://formidable.com/blog/2019/locking-down-aws-serverless-applications-the-right-way/#existing-privilege-approaches) for the `FormidableLabs/serverless/aws` Terraform module.
145 | >
146 | > In practice, many real world projects will segregate at least the ultimate production infrastructure to a separate AWS account and potentially utilize multiple infrastructures within a shared non-production AWS account. There are many ways to implement a robust production privilege approach, and this reference project implements just one of them!
147 | 
148 | ## Installation
149 | 
150 | ### Node.js (Runtime)
151 | 
152 | Our application is a Node.js server.
153 | 
154 | First, make sure you have our version of node (determined by `.nvmrc`) that matches our Lambda target (you will need to have [`nvm`](https://github.com/creationix/nvm) installed):
155 | 
156 | ```sh
157 | $ nvm use
158 | ```
159 | 
160 | Then, `yarn` install the Node.js dependencies:
161 | 
162 | ```sh
163 | $ yarn install
164 | ```
165 | 
166 | ### AWS (Deployment)
167 | 
168 | #### AWS Tools
169 | 
170 | Certain administrative / development work require the AWS CLI tools to prepare and deploy our staging / production services. To get those either do:
171 | 
172 | ```sh
173 | # Install via Python
174 | $ sudo pip install awscli --ignore-installed six
175 | 
176 | # Or brew
177 | $ brew install awscli
178 | ```
179 | 
180 | After this you should be able to type:
181 | 
182 | ```sh
183 | $ aws --version
184 | ```
185 | 
186 | #### Terraform
187 | 
188 | Install [tfenv][] from Homebrew: `brew install tfenv`. Then, in the root of the repo, run `tfenv install` to download and  use the pinned version of Terraform for this project.
189 | 
190 | Note that `tfenv` conflicts with Homebrew `terraform` and must be uninstalled first. You can still use `tfenv` to install and use the latest Terraform version in projects that don't have a `.terraform-version` file.
191 | 
192 | #### AWS Credentials
193 | 
194 | To work with this reference app, you need AWS credentials for your specific user (aka, `FIRST.LAST`). To create the bootstrap and service support stacks, that user will need to be a superuser. To deploy `serverless` applications, the user will need to be attached to given `tf-${SERVICE_NAME}-${STAGE}-(admin|developer)` IAM groups after the service stack is created.
195 | 
196 | Once you have a user + access + secret keys, you need to make them available to commands requiring them. There are a couple of options:
197 | 
198 | ##### In Environment
199 | 
200 | You can append the following two environment variables to any command like:
201 | 
202 | ```sh
203 | $ AWS_ACCESS_KEY_ID=INSERT \
204 |   AWS_SECRET_ACCESS_KEY=INSERT \
205 |   STAGE=sandbox \
206 |   yarn run lambda:info
207 | ```
208 | 
209 | This has the advantage of not storing secrets on disk. The disadvantage is needing to keep the secrets around to paste and/or `export` into every new terminal.
210 | 
211 | ##### Saved to Local Disk
212 | 
213 | Another option is to store the secrets on disk. You can configure your `~/.aws` credentials like:
214 | 
215 | ```sh
216 | $ mkdir -p ~/.aws
217 | $ touch ~/.aws/credentials
218 | ```
219 | 
220 | Then add a `default` entry if you only anticipate working on this one project  or a named profile entry of your username (aka, `FIRST.LAST`):
221 | 
222 | ```sh
223 | $ vim ~/.aws/credentials
224 | [default|FIRST.LAST]
225 | aws_access_key_id = INSERT
226 | aws_secret_access_key = INSERT
227 | ```
228 | 
229 | If you are using a named profile, then export it into the environment in any terminal you are working in:
230 | 
231 | ```sh
232 | $ export AWS_PROFILE="FIRST.LAST"
233 | $ STAGE=sandbox yarn run lambda:info
234 | ```
235 | 
236 | Or, you can declare the variable inline:
237 | 
238 | ```sh
239 | $ AWS_PROFILE="FIRST.LAST"\
240 |   STAGE=sandbox \
241 |   yarn run lambda:info
242 | ```
243 | 
244 | ##### AWS Vault
245 | 
246 | The most secure mix of the two above options is to install and use
247 | [aws-vault](https://github.com/99designs/aws-vault). Once you've followed the installation instructions, you can set up and use a profile like:
248 | 
249 | ```sh
250 | # Store AWS credentials for a profile named "FIRST.LAST"
251 | $ aws-vault add FIRST.LAST
252 | Enter Access Key Id: INSERT
253 | Enter Secret Key: INSERT
254 | 
255 | # Execute a command with temporary creds
256 | $ STAGE=sandbox aws-vault exec FIRST.LAST -- yarn run lambda:info
257 | ```
258 | 
259 | > ⚠️ **Warning**: Certain IAM role creation commands do not work with the default `aws-vault` setup if you have MFA set up (which you should).
260 | 
261 | The following commands that definitely need extra command support:
262 | 
263 | * `yarn tf:service:apply`
264 | * `yarn tf:service:_delete`
265 | * `yarn lambda:deploy`
266 | 
267 | We have a [research ticket](https://github.com/FormidableLabs/aws-lambda-serverless-reference/issues/38) to better handle sessions with MFA, but in the meantime you can simply add the `--no-session` flag to any `aws-vault` commands that need it. E.g.
268 | 
269 | ```sh
270 | $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- <ACTUAL_COMMAND>
271 | 
272 | # E.g.
273 | $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- STAGE=sandbox yarn tf:service:apply
274 | ```
275 | 
276 | In practice, it is probably easier in the meantime to just always add the `--no-session` flag when using `aws-vault exec`.
277 | 
278 | ## Development
279 | 
280 | We have several options for developing a service locally, with different advantages. Here's a quick list of application ports / running commands:
281 | 
282 | * `3000`: Node server via `nodemon`. (`yarn node:localdev`)
283 | * `3001`: Lambda offline local simulation. (`yarn lambda:localdev`)
284 | 
285 | ### Node.js
286 | 
287 | Run the server straight up in your terminal with Node.js via `nodemon` for instant restarts on changes. Note that because we effectively run the same server at different URL bases you must separately specify them.
288 | 
289 | ```sh
290 | # Base server
291 | $ yarn node:localdev
292 | 
293 | # Different scenarios that reuse base.js
294 | $ BASE_URL=/canary yarn node:localdev
295 | $ BASE_URL=/vpc yarn node:localdev
296 | $ BASE_URL=/layers yarn node:localdev
297 | 
298 | # Other scenarios that use a different js file.
299 | $ SCENARIO=xray yarn node:localdev
300 | ```
301 | 
302 | See it in action!:
303 | 
304 | - [http://127.0.0.1:3000/base/hello.json](http://127.0.0.1:3000/base/hello.json)
305 | 
306 | Or from the command line:
307 | 
308 | ```sh
309 | $ curl -X POST "http://127.0.0.1:3000/base/hello.json" \
310 |   -H "Content-Type: application/json"
311 | ```
312 | 
313 | ### Lambda Offline
314 | 
315 | Run the server in a Lambda simulation via the [`serverless-offline`](https://github.com/dherault/serverless-offline) plugin. In contrast to `node:localdev` above, _all_ routes and functions are loaded together.
316 | 
317 | ```sh
318 | $ yarn lambda:localdev
319 | ```
320 | 
321 | See it in action!:
322 | 
323 | - [http://127.0.0.1:3001/base/hello.json](http://127.0.0.1:3001/base/hello.json)
324 | 
325 | ## Support Stack Provisioning (Superuser)
326 | 
327 | This section discusses getting AWS resources provisioned to support Terraform and then Serverless.
328 | 
329 | The basic overview is:
330 | 
331 | 1. **Bootstrap Stack**: Use AWS CloudFormation to provision resources to manage Terraform state.
332 | 2. **Service Stack**: Use Terraform to provision resources / permissions to accompany a Serverless deploy.
333 | 
334 | after this, _then_ we are ready to deploy a standard `serverless` application with full support!
335 | 
336 | ### Bootstrap Stack
337 | 
338 | This step creates an S3 bucket and DynamoDB data store to enable Terraform to remotely manage it's state. We do this via AWS CloudFormation.
339 | 
340 | All commands in this section should be run by an AWS superuser. The configuration for all of this section is controlled by: [`aws/bootstrap.yml`](./aws/bootstrap.yml). Commands and resources created are all prefixed with `cf` as a project-specific choice for ease of identification in the AWS console (vs. Terraform vs. Serverless-generated).
341 | 
342 | **Create** the CloudFormation stack:
343 | 
344 | ```sh
345 | # Provision stack.
346 | $ STAGE=sandbox yarn run cf:bootstrap:create
347 | {
348 |     "StackId": "arn:aws:cloudformation:${AWS_REGION}:${AWS_ACCOUNT}:stack/cf-${SERVICE_NAME}-${STAGE}-bootstrap/HASH"
349 | }
350 | 
351 | # Check status until reach `CREATE_COMPLETE`
352 | $ STAGE=sandbox yarn run cf:bootstrap:status
353 | "CREATE_COMPLETE"
354 | ```
355 | 
356 | Once this is complete, you can move on to provisioning the service stack section. The remaining commands below are only if you need to update / delete the bootstrap stack, which shouldn't happen that often.
357 | 
358 | **Update** the CloudFormation stack:
359 | 
360 | ```sh
361 | # Update, then check status.
362 | $ STAGE=sandbox yarn run cf:bootstrap:update
363 | $ STAGE=sandbox yarn run cf:bootstrap:status
364 | ```
365 | 
366 | **Delete** the CloudFormation stack:
367 | 
368 | The bootstrap stack should only be deleted _after_ you have removed all of the `-admin|-developer|-ci` groups from users and deleted the Serverless and Terraform service stacks.
369 | 
370 | ```sh
371 | # **WARNING**: Use with extreme caution!!!
372 | $ STAGE=sandbox yarn run cf:bootstrap:_delete
373 | 
374 | # Check status. (A status or error with `does not exist` when done).
375 | $ STAGE=sandbox yarn run cf:bootstrap:status
376 | An error occurred (ValidationError) when calling the DescribeStacks operation: Stack with id cf-SERVICE_NAME-STAGE does not exist
377 | ```
378 | 
379 | ### Service Stack
380 | 
381 | This step provisions a Terraform stack to provide us with IAM groups and other AWS resources to support and enhance a Serverless provision (in the next section).
382 | 
383 | All commands in this section should be run by an AWS superuser.  The configuration for all of this section is controlled by: [`terraform/main.tf`](./terraform/main.tf). Commands and resources created are all prefixed with `tf` as a project-specific choice for ease of identification.
384 | 
385 | > ℹ️ **Note**: We use the `terraform` CLI program under the hood directly for all of our Terraform work. This is simple and good for learning, but in a real world infrastructure has several limitations (such as the pain of remembering to re-`init` environments on switching, etc.). Consequently, if you're looking to maintain multiple environments with Terraform in the real world, consider more flexible meta tools like [terragrunt](https://github.com/gruntwork-io/terragrunt).
386 | 
387 | **Init** your local Terraform state.
388 | 
389 | This needs to be run once to be able to run any other Terraform commands.
390 | 
391 | ```sh
392 | $ STAGE=sandbox yarn run tf:service:init --reconfigure
393 | ```
394 | 
395 | > ⚠️ **Warning**: You need to run `yarn run tf:service:init` **every** time you change `STAGE` or other core environmental setup before you can mutate anything with the stack (like `yarn run tf:service:apply`). Failure to do so will result in bad things like incorrect stage variables applied to an old, stale stage in the underlying Terraform local disk cache.
396 | 
397 | > ℹ️ **Note**: We suggest using the `--reconfigure` flag every time you run `init` when switching environments so that the remote state (in S3) remains the source of truth and accidental stuff you do on local disk doesn't end up corrupting things.
398 | 
399 | **Plan** the Terraform stack.
400 | 
401 | Terraform allows you to see what's going to happen / change in your cloud infrastructure before actually committing to it, so it is _always_ a good idea to run a plan before any Terraform mutating command.
402 | 
403 | ```sh
404 | $ STAGE=sandbox yarn run tf:service:plan
405 | ```
406 | 
407 | **Apply** the Terraform stack:
408 | 
409 | This creates / updates as appropriate.
410 | 
411 | ```sh
412 | # Type in `yes` to go forward
413 | $ STAGE=sandbox yarn run tf:service:apply
414 | 
415 | # YOLO: run without checking first
416 | $ STAGE=sandbox yarn run tf:service:apply -auto-approve
417 | 
418 | # **WARNING**: If using `aws-vault`, remember `--no-session`!
419 | $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- STAGE=sandbox yarn tf:service:apply
420 | ```
421 | 
422 | **Delete** the Terraform stack:
423 | 
424 | The service stack should only be deleted _after_ you have removed all of the `-admin|-developer|-ci` groups from users and deleted the Serverless stack.
425 | 
426 | ```sh
427 | # **WARNING**: Use with extreme caution!!!
428 | # Type in `yes` to go forward
429 | $ STAGE=sandbox yarn run tf:service:_delete
430 | 
431 | # YOLO: run without checking first
432 | $ STAGE=sandbox yarn run tf:service:_delete -auto-approve
433 | 
434 | # **WARNING**: If using `aws-vault`, remember `--no-session`!
435 | $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- STAGE=sandbox yarn tf:service:_delete
436 | ```
437 | 
438 | **Visualize** the Terraform stack:
439 | 
440 | These are Mac-based instructions, but analogous steps are available on other platforms. First, you'll need GraphViz for the `dot` tool:
441 | 
442 | ```sh
443 | $ brew install graphviz
444 | ```
445 | 
446 | From there, you can visualize with:
447 | 
448 | ```sh
449 | # Generate SVG
450 | $ STAGE=sandbox yarn run -s tf:terraform graph | dot -Tsvg > ~/Desktop/infrastructure.svg
451 | ```
452 | 
453 | ## Serverless Deployment (IAM Roles)
454 | 
455 | This section discusses developers getting code and secrets deployed (manually from local machines to an AWS `development` playground or automated via CI).
456 | 
457 | All commands in this section should be run by AWS users with attached IAM groups provisioned by our support stack of `tf-${SERVICE_NAME}-${STAGE}-(admin|developer|ci)`. The configuration for this section is controlled by: [`serverless.yml`](./serverless.yml)
458 | 
459 | > ⚠️ **Prod/Real World Warning**: This reference application deploys from local laptops for ease of instruction. However, our laptops are usually a different operating system than the target Lambda Linux execution environment. This is an issue for binary dependencies in `node_modules` which are OS-specific and zipped up and shipped with the Lambda application.
460 | >
461 | > Our reference application presently does not have binary dependencies, but as a best practice for a real world Lambda application, you should not package and deploy from a different OS than your target Lambda execution environment. This means if locally deploying using an appropriate Docker setup for packaging, or using a CI/CD system that matches the Lambda OS to package and deploy the application.
462 | 
463 | ### Admin Deployment
464 | 
465 | These actions are reserved for `-admin` users.
466 | 
467 | **Create** the Lambda app. The first time through a `deploy`, an `-admin` user
468 | is required (to effect the underlying CloudFormation changes).
469 | 
470 | ```sh
471 | $ STAGE=sandbox yarn run lambda:deploy
472 | 
473 | # **WARNING**: If using `aws-vault`, remember `--no-session`!
474 | $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- STAGE=sandbox yarn lambda:deploy
475 | 
476 | # Check on app and endpoints.
477 | $ STAGE=sandbox yarn run lambda:info
478 | ```
479 | 
480 | **Delete** the Lambda app.
481 | 
482 | ```sh
483 | # **WARNING**: Use with extreme caution!!!
484 | $ STAGE=sandbox yarn run lambda:_delete
485 | 
486 | # Confirm (with expected error).
487 | $ STAGE=sandbox yarn lambda:info
488 | ...
489 | 
490 |   Serverless Error ---------------------------------------
491 | 
492 |   Stack with id sls-${SERVICE_NAME}-${STAGE} does not exist
493 | ```
494 | 
495 | **Metrics**:
496 | 
497 | ```sh
498 | # Show metrics for an application
499 | $ STAGE=sandbox yarn run lambda:metrics
500 | ```
501 | 
502 | ### User Deployment
503 | 
504 | These actions can be performed by any user (`-admin|developer|ci`).
505 | 
506 | Get server **information**:
507 | 
508 | ```sh
509 | $ STAGE=sandbox yarn run lambda:info
510 | ...
511 | endpoints:
512 |   ANY - https://HASH.execute-api.AWS_REGION.amazonaws.com/STAGE/base
513 |   ANY - https://HASH.execute-api.AWS_REGION.amazonaws.com/STAGE/base/{proxy+}
514 |   ANY - https://HASH.execute-api.AWS_REGION.amazonaws.com/STAGE/xray
515 |   ANY - https://HASH.execute-api.AWS_REGION.amazonaws.com/STAGE/xray/{proxy+}
516 | ...
517 | ```
518 | 
519 | See the **logs**:
520 | 
521 | ```sh
522 | $ STAGE=sandbox yarn run lambda:logs -f FUNCTION_NAME
523 | ```
524 | 
525 | _Note_: To see the logs in the AWS console, you unfortunately cannot just click on "CloudWatch > Logs" and see the relevant potential ones listed because a wildcard would be needed for `log:DescribeLogGroups|Streams`. However, if you know the log group generated name, and we **do** here, you can fill in the blanks and navigate to:
526 | 
527 | ```
528 | https://console.aws.amazon.com/cloudwatch/home?#logStream:group=/aws/lambda/sls-SERVICE_NAME-STAGE-FUNCTION_NAME;streamFilter=typeLogStreamPrefix
529 | ```
530 | 
531 | **Update** the Lambda server.
532 | 
533 | ```sh
534 | $ STAGE=sandbox yarn run lambda:deploy
535 | 
536 | # **WARNING**: If using `aws-vault`, remember `--no-session`!
537 | $ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- STAGE=sandbox yarn lambda:deploy
538 | ```
539 | 
540 | **Rollback** to a previous Lambda deployment:
541 | 
542 | If something has gone wrong, you can see the list of available states to
543 | roll back to with:
544 | 
545 | ```sh
546 | $ STAGE=sandbox yarn run lambda:rollback
547 | ```
548 | 
549 | Then choose a datestamp and add with the `-t` flag like:
550 | 
551 | ```sh
552 | $ STAGE=sandbox yarn run lambda:rollback -t 2019-02-07T00:35:56.362Z
553 | ```
554 | 
555 | ## `terraform-aws-serverless` Development
556 | 
557 | _For contributors to [FormidableLabs/serverless/aws][]_
558 | 
559 | To test out a local branch of `terraform-aws-serverless`, first clone it to the relative path of `../terraform-aws-serverless` from this project's checkout. Then run the command:
560 | 
561 | ```sh
562 | $ yarn _dev:on
563 | ```
564 | 
565 | To switch to the local modules instead of published ones. Next, make sure to re-initialize Terraform to pick up the local modules:
566 | 
567 | ```sh
568 | $ STAGE=sandbox yarn run tf:service:init --reconfigure
569 | ```
570 | 
571 | Then, do all your testing of the local module. When you're ready to unwind the changes, you can do:
572 | 
573 | ```sh
574 | $ yarn _dev:off
575 | ```
576 | 
577 | To switch back to the published version. Typically then you'll do a version bump if we've published a new module. Then again re-initialize:
578 | 
579 | ```sh
580 | $ STAGE=sandbox yarn run tf:service:init --reconfigure
581 | ```
582 | 
583 | ...and you're up and running the published module again!
584 | 
585 | [serverless]: https://serverless.com/
586 | [serverless-http]: https://github.com/dougmoscrop/serverless-http
587 | [Terraform]: https://www.terraform.io
588 | [CloudFormation]: https://aws.amazon.com/cloudformation/
589 | [tfenv]: https://github.com/tfutils/tfenv
590 | [HCL]: https://www.terraform.io/docs/configuration/syntax.html
591 | [FormidableLabs/serverless/aws]: https://registry.terraform.io/modules/FormidableLabs/serverless/aws
592 | 
593 | [trav_img]: https://api.travis-ci.com/FormidableLabs/aws-lambda-serverless-reference.svg
594 | [trav_site]: https://travis-ci.com/FormidableLabs/aws-lambda-serverless-reference
595 | 
596 | 
597 | ## Maintenance Status
598 | 
599 | **Stable:** Formidable is not planning to develop any new features for this project. We are still responding to bug reports and security concerns. We are still welcoming PRs for this project, but PRs that include new features should be small and easy to integrate and should not include breaking changes.
600 | 
601 | [maintenance-image]: https://img.shields.io/badge/maintenance-stable-yellow.svg?color=yellow&style=flat
602 | 


--------------------------------------------------------------------------------
/aws-lambda-serverless-reference-Hero.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/FormidableLabs/aws-lambda-serverless-reference/5ed26dde4b917bd1554fb33658395849c5ccd241/aws-lambda-serverless-reference-Hero.png


--------------------------------------------------------------------------------
/aws/bootstrap.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | #############################################################################
 3 | # Bootstrap
 4 | #############################################################################
 5 | # This template provides base resources for a Terraform stack to store and
 6 | # manage remote state.
 7 | #############################################################################
 8 | AWSTemplateFormatVersion: "2010-09-09"
 9 | 
10 | Description: "Terraform bootstrap"
11 | 
12 | # Custom parameters
13 | Parameters:
14 |   ServiceName:
15 |     Description: Base name of the service
16 |     Type: String
17 | 
18 |   # Our arbitrary choices for supported, isolated statges.
19 |   Stage:
20 |     Description: Operational stage (e.g., development, staging, production)
21 |     Type: String
22 | 
23 | Resources:
24 |   # Enable Terraform state in AWS
25 |   # https://www.terraform.io/docs/backends/types/s3.html
26 |   TerraformState:
27 |     Type: AWS::S3::Bucket
28 |     Properties:
29 |       BucketName: !Sub "cf-${ServiceName}-${Stage}-terraform-state"
30 |       # > It is highly recommended that you enable Bucket Versioning on the S3
31 |       # > bucket to allow for state recovery in the case of accidental deletions
32 |       # > and human error.
33 |       VersioningConfiguration:
34 |         Status: Enabled
35 |       Tags:
36 |         -
37 |           Key: "Service"
38 |           Value: !Sub "${ServiceName}"
39 |         -
40 |           Key: "Stage"
41 |           Value: !Sub "${Stage}"
42 | 
43 |   TerraformLocks:
44 |     Type: AWS::DynamoDB::Table
45 |     Properties:
46 |       TableName: !Sub "cf-${ServiceName}-${Stage}-terraform-locks"
47 |       BillingMode: PAY_PER_REQUEST
48 |       KeySchema:
49 |         - AttributeName: LockID
50 |           KeyType: HASH
51 |       AttributeDefinitions:
52 |         - AttributeName: LockID
53 |           AttributeType: S
54 |       Tags:
55 |         -
56 |           Key: "Service"
57 |           Value: !Sub "${ServiceName}"
58 |         -
59 |           Key: "Stage"
60 |           Value: !Sub "${Stage}"


--------------------------------------------------------------------------------
/layers/repeat/repeat/index.js:
--------------------------------------------------------------------------------
1 | "use strict";
2 | 
3 | // Repeate a string.
4 | const repeat = (str, times) => str.repeat(times);
5 | 
6 | module.exports = {
7 |   repeat
8 | };
9 | 


--------------------------------------------------------------------------------
/layers/vendor/nodejs/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "aws-lambda-serverless-reference-layers-vendor",
 3 |   "version": "0.0.1",
 4 |   "description": "Common vendor libraries for reference app",
 5 |   "main": "index.js",
 6 |   "license": "MIT",
 7 |   "dependencies": {
 8 |     "figlet": "^1.2.3"
 9 |   }
10 | }
11 | 


--------------------------------------------------------------------------------
/layers/vendor/nodejs/yarn.lock:
--------------------------------------------------------------------------------
1 | # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
2 | # yarn lockfile v1
3 | 
4 | 
5 | figlet@^1.2.3:
6 |   version "1.2.3"
7 |   resolved "https://registry.yarnpkg.com/figlet/-/figlet-1.2.3.tgz#7d25df546f41fc411c2a8b88012d48d55de72129"
8 |   integrity sha512-+F5zdvZ66j77b8x2KCPvWUHC0UCKUMWrewxmewgPlagp3wmDpcrHMbyv/ygq/6xoxBPGQA+UJU3SMoBzKoROQQ==
9 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "aws-lambda-serverless-reference",
 3 |   "version": "0.0.1",
 4 |   "description": "A reference application for AWS + serverless framework.",
 5 |   "repository": "https://github.com/FormidableLabs/aws-lambda-serverless-reference",
 6 |   "author": "Ryan Roemer <ryan.roemer@formidable.com>",
 7 |   "license": "MIT",
 8 |   "scripts": {
 9 |     "postinstall": "cd layers/vendor/nodejs && yarn",
10 |     "_dev:on": "node terraform/scripts/dev.js --on",
11 |     "_dev:off": "node terraform/scripts/dev.js --off",
12 |     "env": "echo export STAGE=${STAGE:-localdev}; echo export SERVICE_NAME=simple-reference; echo export AWS_REGION=${AWS_REGION:-us-east-1}; echo export AWS_XRAY_CONTEXT_MISSING=LOG_ERROR",
13 |     "build:toc-files": "find . -name '*.md' -type f -not -path './node_modules/*' -not -path './terraform/.terraform/*' -exec grep -l '<!-- START doctoc' {} \\;",
14 |     "build:toc": "doctoc --notitle $(yarn -s build:toc-files)",
15 |     "build": "yarn build:toc &&  yarn tf:terraform fmt",
16 |     "lint": "eslint .",
17 |     "check:git-dirty": "test -z \"$(git status --porcelain)\" || (echo \"ERROR: Found git dirty files:\n$(git status --porcelain)\" && exit 1)",
18 |     "check:ci": "yarn run check && yarn build && yarn check:git-dirty",
19 |     "check": "yarn run lint",
20 |     "node:localdev": "eval $(yarn -s env) && SERVER_PORT=${SERVER_PORT:-3000} SERVER_HOST=${SERVER_HOST:-0.0.0.0} nodemon --watch src src/server/${SCENARIO:-base}.js",
21 |     "lambda:sls": "eval $(yarn -s env) && sls -s ${STAGE}",
22 |     "lambda:localdev": "yarn run lambda:sls offline start --port ${SERVER_PORT:-3001} --host ${SERVER_HOST:-0.0.0.0}",
23 |     "lambda:deploy": "yarn run lambda:sls deploy",
24 |     "lambda:info": "yarn run lambda:sls info",
25 |     "lambda:logs": "yarn run lambda:sls logs",
26 |     "lambda:metrics": "yarn run lambda:sls metrics",
27 |     "lambda:rollback": "yarn run lambda:sls rollback",
28 |     "lambda:_delete": "yarn run lambda:sls remove",
29 |     "cf:_params": "eval $(yarn -s env) && echo --parameters ParameterKey=Stage,ParameterValue=${STAGE} ParameterKey=ServiceName,ParameterValue=${SERVICE_NAME}",
30 |     "cf:bootstrap:_stack": "eval $(yarn -s env) && echo --region ${AWS_REGION} --stack-name cf-${SERVICE_NAME}-${STAGE}-bootstrap",
31 |     "cf:bootstrap:_tmpl": "echo --template-body file://aws/bootstrap.yml ",
32 |     "cf:bootstrap:create": "aws cloudformation create-stack --capabilities CAPABILITY_NAMED_IAM $(yarn -s cf:bootstrap:_tmpl) $(yarn -s cf:bootstrap:_stack) $(yarn -s cf:_params)",
33 |     "cf:bootstrap:update": "aws cloudformation update-stack --capabilities CAPABILITY_NAMED_IAM $(yarn -s cf:bootstrap:_tmpl) $(yarn -s cf:bootstrap:_stack) $(yarn -s cf:_params)",
34 |     "cf:bootstrap:status": "aws cloudformation describe-stacks --query 'Stacks[0].StackStatus' $(yarn -s cf:bootstrap:_stack)",
35 |     "cf:bootstrap:_get-bucket-versions": "eval $(yarn -s env) && aws s3api list-object-versions --bucket=\"cf-${SERVICE_NAME}-${STAGE}-terraform-state\" --output=json --query=\"{Objects: Versions[].{Key:Key,VersionId:VersionId}}\"",
36 |     "cf:bootstrap:_empty-bucket": "eval $(yarn -s env) && aws s3api delete-objects --bucket=\"cf-${SERVICE_NAME}-${STAGE}-terraform-state\" --delete=\"$(yarn -s cf:bootstrap:_get-bucket-versions)\" || echo \"No objects deleted/found.\"",
37 |     "cf:bootstrap:_delete-stack": "eval $(yarn -s env) && aws cloudformation delete-stack $(yarn -s cf:bootstrap:_stack)",
38 |     "cf:bootstrap:_delete": "eval $(yarn -s env) && yarn cf:bootstrap:_empty-bucket && yarn cf:bootstrap:_delete-stack",
39 |     "tf:service:_backend": "eval $(yarn -s env) && echo -backend-config=\"bucket=cf-${SERVICE_NAME}-${STAGE}-terraform-state\" -backend-config=\"dynamodb_table=cf-${SERVICE_NAME}-${STAGE}-terraform-locks\" -backend-config=\"region=${AWS_REGION}\" ",
40 |     "tf:terraform": "eval $(yarn -s env) && cd terraform && terraform",
41 |     "tf:service:_vars": "eval $(yarn -s env) && echo -var \"region=${AWS_REGION}\" -var \"service_name=${SERVICE_NAME}\" -var \"stage=${STAGE}\" ",
42 |     "tf:service:init": "yarn run tf:terraform init $(yarn -s tf:service:_backend) $(yarn -s tf:service:_vars)",
43 |     "tf:service:plan": "yarn run tf:terraform plan $(yarn -s tf:service:_vars)",
44 |     "tf:service:apply": "yarn run tf:terraform apply $(yarn -s tf:service:_vars)",
45 |     "tf:service:_delete": "yarn run tf:terraform destroy $(yarn -s tf:service:_vars)"
46 |   },
47 |   "dependencies": {
48 |     "aws-xray-sdk-core": "^2.2.0",
49 |     "aws-xray-sdk-express": "^2.2.0",
50 |     "express": "^4.16.4",
51 |     "serverless-http": "^2.3.0"
52 |   },
53 |   "devDependencies": {
54 |     "babel-eslint": "^10.0.1",
55 |     "doctoc": "^1.4.0",
56 |     "eslint": "^6.8.0",
57 |     "eslint-config-formidable": "^4.0.0",
58 |     "eslint-plugin-filenames": "^1.3.2",
59 |     "eslint-plugin-import": "^2.16.0",
60 |     "eslint-plugin-promise": "^4.0.1",
61 |     "nodemon": "^2.0.2",
62 |     "serverless": "^1.61.1",
63 |     "serverless-jetpack": "^0.10.0",
64 |     "serverless-offline": "^5.12.1",
65 |     "serverless-plugin-canary-deployments": "^0.4.8"
66 |   }
67 | }
68 | 


--------------------------------------------------------------------------------
/serverless.yml:
--------------------------------------------------------------------------------
  1 | # CloudFormation output name: `sls-${SERVICE_NAME}-${STAGE}`
  2 | service: sls-${self:custom.service}
  3 | 
  4 | custom:
  5 |   service: ${env:SERVICE_NAME}
  6 |   region: ${opt:region, env:AWS_REGION}
  7 |   stage: ${opt:stage, env:STAGE}
  8 |   jetpack:
  9 |     preInclude:
 10 |       - "!**" # Start with no files at all.
 11 |     trace:
 12 |       # Use trace mode for speed and ignore aws-sdk + all deps
 13 |       ignores:
 14 |         - "aws-sdk"
 15 | 
 16 | plugins:
 17 |   - serverless-jetpack
 18 |   - serverless-offline
 19 |   - serverless-plugin-canary-deployments
 20 | 
 21 | provider:
 22 |   name: aws
 23 | 
 24 |   # Required: import the default role that terraform-aws-serverless generates.
 25 |   role:
 26 |     Fn::ImportValue: tf-${self:custom.service}-${self:custom.stage}-LambdaExecutionRoleArn
 27 | 
 28 |     # OPTION(custom_role): terraform-aws-serverless lets you provide a custom
 29 |     # IAM role in place of its autogenerated one. If you provide a custom role,
 30 |     # expose it as an export on a CloudFormation stack and import it like so:
 31 |     # Fn::ImportValue: tf-${self:custom.service}-${self:custom.stage}-LambdaExecutionRoleCustomArn
 32 | 
 33 |   # Lambda configuration
 34 |   runtime: nodejs12.x
 35 |   timeout: 30 # seconds (`300` max)
 36 |   memorySize: 128 # MB value (`1024` default)
 37 | 
 38 |   # Deployment / environment configuration
 39 |   region: ${self:custom.region}
 40 |   stage: ${self:custom.stage}
 41 |   environment:
 42 |     STAGE: ${self:custom.stage}
 43 |     SERVICE_NAME: ${self:custom.service}
 44 | 
 45 |   # AWS Resource Tags: Match terraform module
 46 |   stackTags: # For CF stack
 47 |     Stage: ${self:custom.stage}
 48 |     Service: ${self:custom.service}
 49 |   tags: # For resources
 50 |     Stage: ${self:custom.stage}
 51 |     Service: ${self:custom.service}
 52 | 
 53 | functions:
 54 |   # SCENARIO - base: The simplest, vanilla Serverless app.
 55 |   base:
 56 |     handler: src/server/base.handler
 57 |     events: # Use a generic proxy to allow Express app to route.
 58 |       - http: ANY /base
 59 |       - http: 'ANY /base/{proxy+}'
 60 | 
 61 | ###############################################################################
 62 | # OPTIONAL STUFF BELOW!!!
 63 | # =======================
 64 | # Everything below here provides specific features and enhancements that you
 65 | # may wish to investigate in a serverless app, such as:
 66 | # - `xray`: Set up AWS Xray tracing
 67 | # - `vpc`: Deploy Lambda in AWS VPC
 68 | # - `layers`: Deploy Lambda Layers alongside Lambda Functions
 69 | ###############################################################################
 70 | 
 71 |   #############################################################################
 72 |   # OPTION(xray): Simple app with Xray tracing.
 73 |   #############################################################################
 74 |   xray:
 75 |     handler: src/server/xray.handler
 76 |     events:
 77 |       - http: ANY /xray
 78 |       - http: 'ANY /xray/{proxy+}'
 79 | 
 80 |   #############################################################################
 81 |   # OPTION(vpc): Our vanilla app, but in a VPC
 82 |   #############################################################################
 83 |   vpc:
 84 |     handler: src/server/base.handler
 85 |     events:
 86 |       - http: ANY /vpc
 87 |       - http: 'ANY /vpc/{proxy+}'
 88 |     environment:
 89 |       BASE_URL: /vpc
 90 |     # VPC: Add in SGs and SNs.
 91 |     # https://serverless.com/framework/docs/providers/aws/guide/functions#vpc-configuration
 92 |     vpc:
 93 |       securityGroupIds:
 94 |         - Fn::ImportValue: "tf-${self:custom.service}-${self:custom.stage}-VPCSecurityGroupId"
 95 |       subnetIds:
 96 |         - Fn::ImportValue: "tf-${self:custom.service}-${self:custom.stage}-VPCPrivateSubnetA"
 97 |         - Fn::ImportValue: "tf-${self:custom.service}-${self:custom.stage}-VPCPrivateSubnetB"
 98 | 
 99 |   #############################################################################
100 |   # OPTION(canary): Canary-deployed Lambda using serverless-plugin-canary-deployments
101 |   # To watch the canary deploy's progress for the sandbox environment, view its
102 |   # CodeDeploy project here:
103 |   # https://us-east-1.console.aws.amazon.com/codesuite/codedeploy/applications/sls-simple-reference-sandbox-SlssimplereferencesandboxDeploymentApplication-LI2MS1UTYKZT?region=us-east-1
104 |   #
105 |   # To view canary progress for other stages, find them in CodeDeploy Applications:
106 |   # https://us-east-1.console.aws.amazon.com/codesuite/codedeploy/applications?region=us-east-1
107 |   #############################################################################
108 |   canary:
109 |     handler: src/server/base.handler
110 |     events: # Use a generic proxy to allow Express app to route.
111 |       - http: ANY /canary
112 |       - http: 'ANY /canary/{proxy+}'
113 |     environment:
114 |       BASE_URL: /canary
115 |     deploymentSettings:
116 |       # See all options here: https://github.com/davidgf/serverless-plugin-canary-deployments#configuration
117 |       type: AllAtOnce
118 |       alias: Live
119 | 
120 |   #############################################################################
121 |   # OPTION(layers): Conditional import can use code from a layer.
122 |   #
123 |   # **Localdev**:
124 |   # ```sh
125 |   # # Can't find deps
126 |   # $ STAGE=sandbox yarn lambda:localdev
127 |   # $ curl http://127.0.0.1:3001/layers/layers.txt
128 |   #   Could not import figlet via layers. Sorry, no ASCII art today... :(
129 |   #
130 |   # # Hack in deps sort-of-equivalent to deployed.
131 |   # $ NODE_PATH="${NODE_PATH}:./layers/vendor/nodejs/node_modules" STAGE=sandbox yarn lambda:localdev
132 |   # $ curl http://127.0.0.1:3001/layers/layers.txt
133 |   #  _   _      _ _         _                              _ _ _
134 |   # | | | | ___| | | ___   | |    __ _ _   _  ___ _ __ ___| | | |
135 |   # | |_| |/ _ \ | |/ _ \  | |   / _` | | | |/ _ \ '__/ __| | | |
136 |   # |  _  |  __/ | | (_) | | |__| (_| | |_| |  __/ |  \__ \_|_|_|
137 |   # |_| |_|\___|_|_|\___/  |_____\__,_|\__, |\___|_|  |___(_|_|_)
138 |   #                                    |___/
139 |   # ```
140 |   #############################################################################
141 |   layers:
142 |     handler: src/server/layers.handler
143 |     events:
144 |       - http: ANY /layers
145 |       - http: 'ANY /layers/{proxy+}'
146 |     environment:
147 |       BASE_URL: /layers
148 |     layers:
149 |       - { Ref: VendorLambdaLayer }
150 |       - { Ref: RepeatLambdaLayer }
151 |     # Package individually for function-level tracing ignores / options.
152 |     # Easier general solution is no tracing when layer dependencies, although
153 |     # tracing is likely faster and slimmer.
154 |     package:
155 |       individually: true
156 |     jetpack:
157 |       trace:
158 |         ignores:      # Add ignores for things provided by layers.
159 |           - "figlet"  # From VendorLambdaLayer
160 |           - "/opt"    # From RepeatLambdaLayer
161 | 
162 | ###############################################################################
163 | # OPTION(layers): Add some layers.
164 | ###############################################################################
165 | layers:
166 |   # Dependencies: Adds common vendor libs to a `node_modules` directory.
167 |   # Note: Expands to `/opt/nodejs/node_modules/**/*.js`, so should only do this once.
168 |   vendor:
169 |     path: layers/vendor
170 |     name: sls-${self:custom.service}-${self:custom.stage}-vendor
171 |     jetpack:
172 |       roots:
173 |         - layers/vendor/nodejs
174 | 
175 |   # No dependencies: A vanilla JS function.
176 |   # Note: Expands to `/opt/repeat/*.js` (we have `layers/repeat/repeat` here).
177 |   repeat:
178 |     path: layers/repeat
179 |     name: sls-${self:custom.service}-${self:custom.stage}-repeat
180 |     package:
181 |       include:
182 |         - "repeat/*.js"
183 | 
184 | resources:
185 |   Resources:
186 |     ###########################################################################
187 |     # OPTION(Xray): Enable Xray tracing.
188 |     ###########################################################################
189 |     XrayLambdaFunction:
190 |       Properties:
191 |         TracingConfig:
192 |           Mode: Active
193 | 


--------------------------------------------------------------------------------
/src/server/base.js:
--------------------------------------------------------------------------------
 1 | "use strict";
 2 | 
 3 | const express = require("express");
 4 | 
 5 | const DEFAULT_PORT = 3000;
 6 | const PORT = parseInt(process.env.SERVER_PORT || DEFAULT_PORT, 10);
 7 | const HOST = process.env.SERVER_HOST || "0.0.0.0";
 8 | const STAGE = process.env.STAGE || "localdev";
 9 | const BASE_URL = process.env.BASE_URL || "/base";
10 | const FULL_BASE_URL = STAGE === "localdev" ? BASE_URL : `/${STAGE}${BASE_URL}`;
11 | 
12 | // The base app for any use...
13 | const app = express();
14 | 
15 | // Settings
16 | app.set("json spaces", 2); // eslint-disable-line no-magic-numbers
17 | 
18 | // Root.
19 | // Ex: http://127.0.0.1:3000/hello.json
20 | // => `{"hello":"static REST world!"}`
21 | app.use(`${BASE_URL}/hello.json`, (req, res) => {
22 |   res.json({
23 |     msg: "Simple reference serverless app!"
24 |   });
25 | });
26 | app.use(`${BASE_URL}/*`, (req, res) => {
27 |   res.send(`
28 | <html>
29 |   <body>
30 |     <h1>The Reference App!</h1>
31 |     <p>A simple AWS Lambda + Serverless framework application.</p>
32 |     <p>
33 |       See a JSON response:
34 |       <a href="${FULL_BASE_URL}/hello.json"><code>${FULL_BASE_URL}/hello.json</code></a>
35 |     </p>
36 |   </body>
37 | </html>
38 |   `);
39 | });
40 | 
41 | // LAMBDA: Export handler for lambda use.
42 | let handler;
43 | module.exports.handler = (event, context, callback) => {
44 |   // Lazy require `serverless-http` to allow non-Lambda targets to omit.
45 |   // eslint-disable-next-line global-require
46 |   handler = handler || require("serverless-http")(app);
47 |   return handler(event, context, callback);
48 | };
49 | 
50 | // DOCKER/DEV/ANYTHING: Start the server directly.
51 | if (require.main === module) {
52 |   const server = app.listen({
53 |     port: PORT,
54 |     host: HOST
55 |   }, () => {
56 |     const { address, port } = server.address();
57 | 
58 |     // eslint-disable-next-line no-console
59 |     console.log(`Server started at http://${address}:${port}`);
60 |   });
61 | }
62 | 


--------------------------------------------------------------------------------
/src/server/layers.js:
--------------------------------------------------------------------------------
 1 | "use strict";
 2 | 
 3 | const express = require("express");
 4 | 
 5 | const DEFAULT_PORT = 3000;
 6 | const PORT = parseInt(process.env.SERVER_PORT || DEFAULT_PORT, 10);
 7 | const HOST = process.env.SERVER_HOST || "0.0.0.0";
 8 | const STAGE = process.env.STAGE || "localdev";
 9 | const BASE_URL = process.env.BASE_URL || "/layers";
10 | const FULL_BASE_URL = STAGE === "localdev" ? BASE_URL : `/${STAGE}${BASE_URL}`;
11 | 
12 | // The base app for any use...
13 | const app = express();
14 | 
15 | // Settings
16 | app.set("json spaces", 2); // eslint-disable-line no-magic-numbers
17 | 
18 | // Simple test if our layers import worked.
19 | app.use(`${BASE_URL}/layers.txt`, async (req, res) => {
20 |   let msg;
21 | 
22 |   // Dependencies layer
23 |   try {
24 |     // eslint-disable-next-line global-require,import/no-unresolved
25 |     const figlet = require("figlet");
26 |     msg = figlet.textSync("Hello Layers");
27 |   } catch (e) {
28 |     msg = "Could not import figlet via layers. Sorry, no ASCII art today... :(";
29 |   }
30 | 
31 |   // No dependencies layer
32 |   try {
33 |     // eslint-disable-next-line global-require,import/no-unresolved
34 |     const { repeat } = require("/opt/repeat");
35 |     msg += `\n\n${repeat("-", msg.split("\n")[0].length)}`;
36 |   } catch (e) {
37 |     msg += "\n\nCould not import repeat via layers. Sorry, no exclamations today... :(";
38 |   }
39 | 
40 |   res.set("Content-Type", "text/plain");
41 |   res.send(msg);
42 | });
43 | app.use(`${BASE_URL}/*`, (req, res) => {
44 |   res.send(`
45 | <html>
46 |   <body>
47 |     <h1>The Reference App (Layers Edition)!</h1>
48 |     <p>A simple AWS Lambda + Serverless framework application.</p>
49 |     <p>
50 |       See layers response:
51 |       <a href="${FULL_BASE_URL}/layers.txt"><code>${FULL_BASE_URL}/layers.txt</code></a>
52 |     </p>
53 |   </body>
54 | </html>
55 |   `);
56 | });
57 | 
58 | // LAMBDA: Export handler for lambda use.
59 | let handler;
60 | module.exports.handler = (event, context, callback) => {
61 |   // Lazy require `serverless-http` to allow non-Lambda targets to omit.
62 |   // eslint-disable-next-line global-require
63 |   handler = handler || require("serverless-http")(app);
64 |   return handler(event, context, callback);
65 | };
66 | 
67 | // DOCKER/DEV/ANYTHING: Start the server directly.
68 | if (require.main === module) {
69 |   const server = app.listen({
70 |     port: PORT,
71 |     host: HOST
72 |   }, () => {
73 |     const { address, port } = server.address();
74 | 
75 |     // eslint-disable-next-line no-console
76 |     console.log(`Server started at http://${address}:${port}`);
77 |   });
78 | }
79 | 


--------------------------------------------------------------------------------
/src/server/xray.js:
--------------------------------------------------------------------------------
 1 | "use strict";
 2 | 
 3 | const { setLogger } = require("aws-xray-sdk-core"); // Xray
 4 | const xrayExpress = require("aws-xray-sdk-express"); // Xray
 5 | const express = require("express");
 6 | 
 7 | const DEFAULT_PORT = 3000;
 8 | const PORT = parseInt(process.env.SERVER_PORT || DEFAULT_PORT, 10);
 9 | const HOST = process.env.SERVER_HOST || "0.0.0.0";
10 | const STAGE = process.env.STAGE || process.env.NODE_ENV || "localdev";
11 | const SERVICE_NAME = process.env.SERVICE_NAME;
12 | const SERVICE = `${SERVICE_NAME}-${STAGE}`;
13 | const BASE_URL = process.env.BASE_URL || "/xray";
14 | 
15 | // Log xray locally.
16 | if (STAGE === "localdev") {
17 |   setLogger(console);
18 | }
19 | 
20 | // The base app for any use...
21 | const app = express();
22 | 
23 | // Settings
24 | app.set("json spaces", 2); // eslint-disable-line no-magic-numbers
25 | 
26 | app.use(xrayExpress.openSegment(SERVICE)); // Xray
27 | 
28 | // Routes
29 | app.use(`${BASE_URL}/*`, (req, res) => {
30 |   res.send(`
31 | <html>
32 |   <body>
33 |     <h1>The Reference App (Xray Version)!</h1>
34 |     <p>An AWS Lambda + Serverless framework application with Xray tracing.</p>
35 |     <p>Check Xray dashboard for samples!</p>
36 |   </body>
37 | </html>
38 |   `);
39 | });
40 | 
41 | app.use(xrayExpress.closeSegment()); // Xray
42 | 
43 | // LAMBDA: Export handler for lambda use.
44 | let handler;
45 | module.exports.handler = (event, context, callback) => {
46 |   // eslint-disable-next-line global-require
47 |   handler = handler || require("serverless-http")(app);
48 |   return handler(event, context, callback);
49 | };
50 | 
51 | // DOCKER/DEV/ANYTHING: Start the server directly.
52 | if (require.main === module) {
53 |   const server = app.listen({
54 |     port: PORT,
55 |     host: HOST
56 |   }, () => {
57 |     const { address, port } = server.address();
58 | 
59 |     // eslint-disable-next-line no-console
60 |     console.log(`Server started at http://${address}:${port}`);
61 |   });
62 | }
63 | 


--------------------------------------------------------------------------------
/terraform/main.tf:
--------------------------------------------------------------------------------
  1 | provider "aws" {
  2 |   region = var.region
  3 | }
  4 | 
  5 | terraform {
  6 |   backend "s3" {
  7 |     key = "terraform.tfstate"
  8 |   }
  9 | }
 10 | 
 11 | # A resource group is an optional, but very nice thing to have, especially
 12 | # when managing resources across CF + TF + SLS.
 13 | #
 14 | # This RG aggregates all of CF + TF + SLS together by `Service` + `Stage`.
 15 | resource "aws_resourcegroups_group" "resources_stage" {
 16 |   name = "tf-${var.service_name}-${var.stage}"
 17 | 
 18 |   resource_query {
 19 |     query = <<JSON
 20 | {
 21 |   "ResourceTypeFilters": [
 22 |     "AWS::AllSupported"
 23 |   ],
 24 |   "TagFilters": [
 25 |     {
 26 |       "Key": "Service",
 27 |       "Values": ["${var.service_name}"]
 28 |     },
 29 |     {
 30 |       "Key": "Stage",
 31 |       "Values": ["${var.stage}"]
 32 |     }
 33 |   ]
 34 | }
 35 | JSON
 36 | 
 37 |   }
 38 | }
 39 | 
 40 | ###############################################################################
 41 | # Base `serverless` IAM support
 42 | ###############################################################################
 43 | module "serverless" {
 44 |   source  = "FormidableLabs/serverless/aws"
 45 |   version = "1.0.0"
 46 | 
 47 |   region       = var.region
 48 |   service_name = var.service_name
 49 |   stage        = var.stage
 50 |   # OPTION(custom_role): override the Lambda execution role that
 51 |   # terraform-aws-serverless creates by default.
 52 |   # lambda_role_name = "${aws_iam_role.lambda_execution_custom.name}"
 53 | 
 54 |   # (Default values)
 55 |   # iam_region          = `*`
 56 |   # iam_partition       = `*`
 57 |   # iam_account_id      = `AWS_CALLER account`
 58 |   # tf_service_name     = `tf-SERVICE_NAME`
 59 |   # sls_service_name    = `sls-SERVICE_NAME`
 60 |   # role_admin_name     = `admin`
 61 |   # role_developer_name = `developer`
 62 |   # role_ci_name        = `ci`
 63 |   # opt_many_lambdas    = false
 64 | }
 65 | 
 66 | ###############################################################################
 67 | # OPTIONAL STUFF BELOW!!!
 68 | # =======================
 69 | # Everything below here provides specific features and enhancements that you
 70 | # may wish to investigate in a serverless app, such as:
 71 | # - `xray`: Set up AWS Xray tracing
 72 | # - `vpc`: Deploy Lambda in AWS VPC
 73 | # - `layers`: Deploy Lambda Layers alongside Lambda Functions
 74 | ###############################################################################
 75 | 
 76 | ###############################################################################
 77 | # OPTION(xray): Add X-ray support to lambda execution roles.
 78 | ###############################################################################
 79 | module "serverless_xray" {
 80 |   source  = "FormidableLabs/serverless/aws//modules/xray"
 81 |   version = "1.0.0"
 82 | 
 83 |   # Same variables as for `serverless` module.
 84 |   region       = var.region
 85 |   service_name = var.service_name
 86 |   stage        = var.stage
 87 |   # OPTION(custom_role): override the Lambda execution role that
 88 |   # terraform-aws-serverless creates by default.
 89 |   # lambda_role_name = "${aws_iam_role.lambda_execution_custom.name}"
 90 | }
 91 | 
 92 | ###############################################################################
 93 | # OPTION(vpc): Create VPC resources and expose to Serverless stack.
 94 | ###############################################################################
 95 | data "aws_availability_zones" "available" {
 96 | }
 97 | 
 98 | # OPTION(vpc): Instantiate an actual VPC
 99 | #
100 | # ## Available ranges
101 | #
102 | # - 10.0.0.0 - 10.255.255.255 (10/8 prefix)
103 | # - 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
104 | # - 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
105 | #
106 | # - `10.0.0.0/8` is reserved for ClassicLink VPC. Don't use if need that.
107 | #   https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/vpc-classiclink.html
108 | # - `172.31.0.0/16` is usually the default VPC group.
109 | #
110 | # ## Addressing
111 | #
112 | # Param                   CIDR            Start       End           Hosts
113 | # ======================= =============== =========== ============= ======
114 | # Private Subnet A        10.1.0.0/20     10.1.0.0    10.1.15.255   4096
115 | # Private Subnet B        10.1.16.0/20    10.1.16.0   10.1.31.255   4096
116 | # <Private Spare> C       10.1.32.0/20
117 | # <Private Spare> D       10.1.48.0/20
118 | #
119 | # Public Subnet A         10.1.64.0/20    10.1.64.0   10.1.79.255   4096
120 | # Public Subnet B         10.1.80.0/20    10.1.80.0   10.1.95.255   4096
121 | # <Public Spare> C        10.1.96.0/20
122 | # <Public Spare> D        10.1.112.0/20
123 | #
124 | # VPC CIDR Block          10.1.0.0/17     10.1.0.0    10.1.127.255  32768
125 | module "vpc" {
126 |   source  = "terraform-aws-modules/vpc/aws"
127 |   version = "2.21.0"
128 | 
129 |   name = "tf-${var.service_name}-${var.stage}"
130 | 
131 |   # Dynamically get 2 availabile AZs for failover.
132 |   azs = [
133 |     data.aws_availability_zones.available.names[0],
134 |     data.aws_availability_zones.available.names[1],
135 |   ]
136 | 
137 |   # Features
138 |   enable_dns_hostnames = true
139 |   enable_dns_support   = true
140 |   enable_nat_gateway   = true
141 | 
142 |   # Networking
143 |   cidr            = "10.1.0.0/17"
144 |   private_subnets = ["10.1.0.0/20", "10.1.16.0/20"]
145 |   public_subnets  = ["10.1.64.0/20", "10.1.80.0/20"]
146 | 
147 |   tags = local.tags
148 | }
149 | 
150 | # OPTION(vpc): Use a custom, honed SG.
151 | resource "aws_security_group" "vpc" {
152 |   name        = "tf-${var.service_name}-${var.stage}"
153 |   description = "Allow Serverless Lambda networking"
154 |   vpc_id      = module.vpc.vpc_id
155 | 
156 |   egress {
157 |     description = "Egress: tf-${var.service_name}-${var.stage}"
158 |     from_port   = 0
159 |     to_port     = 0
160 |     protocol    = "-1"
161 |     cidr_blocks = ["0.0.0.0/0"]
162 |   }
163 | 
164 |   tags = merge(
165 |     local.tags,
166 |     {
167 |       "Name" = "tf-${var.service_name}-${var.stage}"
168 |     },
169 |   )
170 | }
171 | 
172 | # OPTION(vpc): Use a small CloudFormation stack to expose outputs for
173 | # consumption in Serverless. (There are _many_ ways to do this, we just
174 | # like this as there's no local disk state needed to deploy.)
175 | #
176 | # _Note_: CF **requires** 1+ `Resources`, so we throw in the SSM param of the
177 | # VPC SG because it's small and we need "something". It's otherwise unused.
178 | #
179 | # See: https://theburningmonk.com/2019/03/making-terraform-and-serverless-framework-work-together/
180 | resource "aws_cloudformation_stack" "outputs_vpc" {
181 |   name = "tf-${var.service_name}-${var.stage}-outputs-vpc"
182 | 
183 |   template_body = <<STACK
184 | Resources:
185 |   VPCSecurityGroupId:
186 |     Type: AWS::SSM::Parameter
187 |     Properties:
188 |       Name: "tf-${var.service_name}-${var.stage}-VPCSecurityGroupId"
189 |       Value: "${aws_security_group.vpc.id}"
190 |       Type: String
191 | 
192 | Outputs:
193 |   VPCSecurityGroupId:
194 |     Description: "VPC SG GID"
195 |     Value: "${aws_security_group.vpc.id}"
196 |     Export:
197 |       Name: "tf-${var.service_name}-${var.stage}-VPCSecurityGroupId"
198 | 
199 |   VPCPrivateSubnetA:
200 |     Description: "VPC Private Subnet A"
201 |     Value: "${module.vpc.private_subnets[0]}"
202 |     Export:
203 |       Name: "tf-${var.service_name}-${var.stage}-VPCPrivateSubnetA"
204 | 
205 |   VPCPrivateSubnetB:
206 |     Description: "VPC Private Subnet B"
207 |     Value: "${module.vpc.private_subnets[1]}"
208 |     Export:
209 |       Name: "tf-${var.service_name}-${var.stage}-VPCPrivateSubnetB"
210 | 
211 | STACK
212 | 
213 | 
214 |   tags = local.tags
215 | }
216 | 
217 | # OPTION(vpc): Add in IAM permissions to humans + lambda execution role.
218 | module "serverless_vpc" {
219 |   source  = "FormidableLabs/serverless/aws//modules/vpc"
220 |   version = "1.0.0"
221 | 
222 |   # Same variables as for `serverless` module.
223 |   region       = var.region
224 |   service_name = var.service_name
225 |   stage        = var.stage
226 |   # OPTION(custom_role): override the Lambda execution role that
227 |   # terraform-aws-serverless creates by default.
228 |   # lambda_role_name = "${aws_iam_role.lambda_execution_custom.name}"
229 | }
230 | 
231 | ###############################################################################
232 | # OPTION(custom_roles): Create and use a custom Lambda role in Serverless.
233 | ###############################################################################
234 | data "aws_partition" "current" {
235 | }
236 | 
237 | resource "aws_iam_role" "lambda_execution_custom" {
238 |   name               = "tf-${var.service_name}-${var.stage}-lambda-execution-custom"
239 |   assume_role_policy = data.aws_iam_policy_document.lambda_execution_custom_assume.json
240 |   tags               = local.tags
241 | }
242 | 
243 | # OPTION(custom_roles): Allow Lambda to assume the custom role.
244 | data "aws_iam_policy_document" "lambda_execution_custom_assume" {
245 |   statement {
246 |     principals {
247 |       type        = "Service"
248 |       identifiers = ["lambda.amazonaws.com"]
249 |     }
250 | 
251 |     actions = ["sts:AssumeRole"]
252 |   }
253 | }
254 | 
255 | # OPTION(custom_roles): Use a small CloudFormation stack to expose outputs for
256 | # consumption in Serverless. (There are _many_ ways to do this, we just
257 | # like this as there's no local disk state needed to deploy.)
258 | #
259 | # _Note_: CF **requires** 1+ `Resources`, so we throw in the SSM param of the
260 | # role ARN because it's small and we need "something". It's otherwise unused.
261 | #
262 | # See: https://theburningmonk.com/2019/03/making-terraform-and-serverless-framework-work-together/
263 | resource "aws_cloudformation_stack" "outputs_custom_role" {
264 |   name = "tf-${var.service_name}-${var.stage}-outputs-custom-role"
265 | 
266 |   template_body = <<STACK
267 | Resources:
268 |   LambdaExecutionRoleArn:
269 |     Type: AWS::SSM::Parameter
270 |     Properties:
271 |       Name: "tf-${var.service_name}-${var.stage}-LambdaExecutionRoleCustomArn"
272 |       Value: "${aws_iam_role.lambda_execution_custom.arn}"
273 |       Type: String
274 | 
275 | Outputs:
276 |   LambdaExecutionRoleArn:
277 |     Description: "The ARN of the lambda execution role for Serverless to apply"
278 |     Value: "${aws_iam_role.lambda_execution_custom.arn}"
279 |     Export:
280 |       Name: "tf-${var.service_name}-${var.stage}-LambdaExecutionRoleCustomArn"
281 | 
282 | STACK
283 | 
284 | 
285 |   tags = local.tags
286 | }
287 | 
288 | # OPTION(canary): Add serverless-plugin-canary-deployments to lambda execution roles.
289 | module "serverless_canary" {
290 |   source  = "FormidableLabs/serverless/aws//modules/canary"
291 |   version = "1.0.0"
292 | 
293 |   # Same variables as for `serverless` module.
294 |   region       = var.region
295 |   service_name = var.service_name
296 |   stage        = var.stage
297 | }
298 | 
299 | 


--------------------------------------------------------------------------------
/terraform/role-ci.tf:
--------------------------------------------------------------------------------
  1 | ############################################################################
  2 | # OPTION(custom_roles): Create and use a custom Lambda role in Serverless. #
  3 | # This entire file can be commented out if you do not need a custom role.  #
  4 | ############################################################################
  5 | 
  6 | # Example of how to use policies from terraform-aws-serverless to create
  7 | # a developer/CI role that any user in the developer group can assume.
  8 | #
  9 | # Useful for:
 10 | # - Delegating permissions to another AWS account.
 11 | # - Testing permissions without creating a new user and switching to it.
 12 | #   - Group permissions are _additive_: if a user in the developer group
 13 | #     has extra permissions outside of the policies attached to the group,
 14 | #     that user can execute actions that aren't defined in the group policy.
 15 | #     This means that the user can't test group policy in isolation. They
 16 | #     must create a new user without additional permissions and attach the
 17 | #     developer group to it.
 18 | #   - Assuming a role is _subtractive_: it limits your access to the role's
 19 | #     IAM statements. This means that a superuser testing group IAM policies
 20 | #     won't be affected by any other IAM permissions attached to their account.
 21 | #
 22 | # We're investigating how best to integrate the assume role policies/principals
 23 | # into terraform-aws-serverless here:
 24 | # https://github.com/FormidableLabs/terraform-aws-serverless/issues/53
 25 | data "aws_caller_identity" "current" {
 26 | }
 27 | 
 28 | resource "aws_iam_role" "ci" {
 29 |   name               = "tf-${var.service_name}-${var.stage}-role-ci"
 30 |   assume_role_policy = data.aws_iam_policy_document.ci_assume.json
 31 |   tags               = local.tags
 32 | }
 33 | 
 34 | data "aws_iam_policy_document" "ci_assume" {
 35 |   statement {
 36 |     actions = ["sts:AssumeRole"]
 37 | 
 38 |     principals {
 39 |       type = "Service"
 40 | 
 41 |       # TODO: investigate the best way to build this into terraform-aws-serverless.
 42 |       # Maybe each module can export the principals it allows IAM permissions to.
 43 |       identifiers = [
 44 |         "lambda.amazonaws.com",
 45 |         "apigateway.amazonaws.com",
 46 |         "codedeploy.amazonaws.com",
 47 |         "cloudformation.amazonaws.com",
 48 |         "ec2.amazonaws.com",
 49 |         "xray.amazonaws.com",
 50 |         "s3.amazonaws.com",
 51 |         "logs.amazonaws.com",
 52 |         "iam.amazonaws.com",
 53 |       ]
 54 |     }
 55 |   }
 56 | 
 57 |   # Allow this account to use policies that grant assume role access to principals.
 58 |   # https://stackoverflow.com/a/34943188
 59 |   # "Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account,
 60 |   # but they would also need sts:AssumeRole permissions (above) to assume the role."
 61 |   # "trusting sts:AssumeRole to ..:root user only POTENTIALLY allows any user to assume the role in
 62 |   # question. Unless you also grant the permission to some user or group to assume the role, it
 63 |   # will not be allowed.
 64 |   statement {
 65 |     actions = ["sts:AssumeRole"]
 66 | 
 67 |     principals {
 68 |       type        = "AWS"
 69 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
 70 |     }
 71 |   }
 72 | }
 73 | 
 74 | # Attach policies from main and child modules to this role
 75 | resource "aws_iam_role_policy_attachment" "ci" {
 76 |   role       = aws_iam_role.ci.name
 77 |   policy_arn = module.serverless.iam_policy_ci_arn
 78 | }
 79 | 
 80 | resource "aws_iam_role_policy_attachment" "ci_cd_lambdas" {
 81 |   role       = aws_iam_role.ci.name
 82 |   policy_arn = module.serverless.iam_policy_cd_lambdas_arn
 83 | }
 84 | 
 85 | # OPTION(vpc)
 86 | resource "aws_iam_role_policy_attachment" "ci_vpc" {
 87 |   role       = aws_iam_role.ci.name
 88 |   policy_arn = module.serverless_vpc.iam_policy_ci_arn
 89 | }
 90 | 
 91 | # OPTION(canary)
 92 | resource "aws_iam_role_policy_attachment" "ci_canary" {
 93 |   role       = aws_iam_role.ci.name
 94 |   policy_arn = module.serverless_canary.iam_policy_ci_arn
 95 | }
 96 | 
 97 | resource "aws_iam_group_policy_attachment" "ci_role" {
 98 |   group      = module.serverless.iam_group_ci_name
 99 |   policy_arn = aws_iam_policy.ci_role.arn
100 | }
101 | 
102 | resource "aws_iam_policy" "ci_role" {
103 |   name   = "tf-${var.service_name}-${var.stage}-policy-ci-role"
104 |   policy = data.aws_iam_policy_document.ci_role.json
105 | }
106 | 
107 | # Allow a principal to assume this role.
108 | data "aws_iam_policy_document" "ci_role" {
109 |   statement {
110 |     actions   = ["sts:AssumeRole"]
111 |     resources = [aws_iam_role.ci.arn]
112 |   }
113 | }
114 | 
115 | 


--------------------------------------------------------------------------------
/terraform/scripts/dev.js:
--------------------------------------------------------------------------------
 1 | "use strict";
 2 | 
 3 | /**
 4 |  * Helper script to switch from published version of `terraform-aws-serverless`
 5 |  * to a locally installed version in `../terraform-aws-serverless`.
 6 |  *
 7 |  * The script basically changes the `source` of the module to local path and
 8 |  * comments out the `version` which produces an error in terraform 0.12+.
 9 |  *
10 |  * Usage:
11 |  *
12 |  * ```sh
13 |  * $ node terraform/scripts/dev.js --on
14 |  * $ node terraform/scripts/dev.js --off
15 |  * ```
16 |  */
17 | const fs = require("fs").promises;
18 | const path = require("path");
19 | const { log } = console;
20 | const mainFile = path.resolve(__dirname, "../main.tf");
21 | 
22 | const enableDev = async () => {
23 |   log("Enabling development mode.");
24 | 
25 |   const buffer = await fs.readFile(mainFile);
26 |   const data = buffer.toString()
27 |     .replace(
28 |       /(\= \"FormidableLabs\/serverless\/aws)(.*\n[ ]*)(version)/g,
29 |       (match, mod, middle) => `= "../../terraform-aws-serverless${middle}# version`
30 |     );
31 | 
32 |   await fs.writeFile(mainFile, data);
33 | };
34 | 
35 | const disableDev = async () => {
36 |   log("Disabling development mode.");
37 | 
38 |   const buffer = await fs.readFile(mainFile);
39 |   const data = buffer.toString()
40 |     .replace(
41 |       /(\= \"..\/..\/terraform-aws-serverless)(.*\n[ ]*)(# version)/g,
42 |       (match, mod, middle) => `= "FormidableLabs/serverless/aws${middle}version`
43 |     );
44 | 
45 |   await fs.writeFile(mainFile, data);
46 | };
47 | 
48 | const main = async ({ on, off }) => {
49 |   if (on && off || !on && !off) {
50 |     throw new Error("Must select exactly one of --on|-off");
51 |   }
52 | 
53 |   if (on) {
54 |     return enableDev();
55 |   }
56 |   return disableDev();
57 | };
58 | 
59 | if (require.main === module) {
60 |   main({
61 |     on: process.argv.includes("--on"),
62 |     off: process.argv.includes("--off")
63 |   }).catch((err) => {
64 |     console.error(err); // eslint-disable-line no-console
65 |     process.exit(1); // eslint-disable-line no-process-exit
66 |   });
67 | }
68 | 


--------------------------------------------------------------------------------
/terraform/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "region" {
 2 |   description = "The deploy target region in AWS"
 3 |   default     = "us-east-1"
 4 | }
 5 | 
 6 | variable "stage" {
 7 |   description = "The stage/environment to deploy to. Suggest: `sandbox`, `development`, `staging`, `production`."
 8 |   default     = "sandbox"
 9 | }
10 | 
11 | variable "service_name" {
12 |   description = "Name of service / application"
13 | }
14 | 
15 | locals {
16 |   tags = {
17 |     "Service" = var.service_name
18 |     "Stage"   = var.stage
19 |   }
20 | }
21 | 
22 | 


--------------------------------------------------------------------------------
/terraform/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------