README
¶
scud
simplified serverless api gateway (AWS CDK L3)
scud is a Simple Cloud Usable Daemon (API Gateway) designed for serverless RESTful API development. This library is an AWS CDK L3 pattern that handles the infrastructure boilerplate, allowing you to focus on developing application logic.
Inspiration
AWS API Gateway and AWS Lambda is a perfect approach for quick prototyping or production development of microservice on Amazon Web Services. Unfortunately, it requires a boilerplate AWS CDK code to bootstrap the development. This library implements a high-order components on top of AWS CDK that hardens the api pattern
The library aids in building Lambda functions by:
- Integrating the "compilation" of Golang serverless functions ("assets") within CDK workflows;
- Providing validation of OAuth2 Bearer tokens for each API endpoint, using various identity provides (IAM, JWT tokens and AWS Cognito).
Getting started
The latest version of the library is available at its main branch. All development, including new features and bug fixes, take place on the main branch using forking and pull requests as described in contribution guidelines. The stable version is available via Golang modules.
Use go get to retrieve the library and add it as dependency to your application.
go get -u github.com/fogfish/scud
Quick Start
package main
import (
"github.com/aws/aws-cdk-go/awscdk/v2"
"github.com/aws/aws-cdk-go/awscdk/v2/awsapigatewayv2"
"github.com/aws/jsii-runtime-go"
"github.com/fogfish/scud"
)
func main() {
app := awscdk.NewApp(nil)
stack := awscdk.NewStack(app, jsii.String("example-api"), nil)
// API Gateway
api := scud.NewGateway(stack, jsii.String("Gateway"), &scud.GatewayProps{})
// Handler Function
fun := scud.NewFunctionGo(stack, jsii.String("Handler"),
&scud.FunctionGoProps{
SourceCodeModule: "github.com/fogfish/scud",
SourceCodeLambda: "test/lambda/go",
},
)
// Example endpoint
api.AddResource("/example", fun)
app.Synth(nil)
}
See advanced example as the service blueprint
User Guide
Serverless functions
AWS CDK supports a bundling feature that streamlines the process of creating assets for Lambda functions from source code. This feature is particularly useful for compiling and packaging your code in languages such as Golang, which need to be converted from source files into executable binaries. The library simplify bundling thought built in presets for assembling ARM64 lambdas for Amazon Linux 2.
scud.NewFunctionGo(stack, jsii.String("Handler"),
&scud.FunctionGoProps{
// Golang module that containing the function
SourceCodeModule: "github.com/fogfish/scud",
// Path to lambda function within the module
SourceCodeLambda: "test/lambda/go",
// Lambda properties
FunctionProps: &awslambda.FunctionProps{},
},
)
Serverless functions (arch amd64)
ARM64 is default architecture for lambda function. Use GoEnv property to build lambda for other architecture.
scud.NewFunctionGo(scope, jsii.String("test"),
&scud.FunctionGoProps{
SourceCodeModule: "github.com/fogfish/scud",
SourceCodeLambda: "test/lambda/go",
GoEnv: map[string]string{"GOARCH": "amd64"},
},
)
API Gateway
The library defined presets for AWS API Gateway V2.
scud.NewGateway(stack, jsii.String("Gateway"),
&scud.GatewayProps{}
)
API Gateway (Domain Name)
The library deploy gateway using default AWS host naming convention https://{uid}.execute-api.{region}.amazonaws.com. Supply custom domain name and Certificate ARN for custom naming.
scud.NewGateway(stack, jsii.String("Gateway"),
&scud.GatewayProps{
Host: jsii.String("test.example.com"),
TlsArn: jsii.String("arn:aws:acm:eu-west-1:000000000000:certificate/00000000-0000-0000-0000-000000000000"),
},
)
API Gateway (Resources)
The Gateway construct implements the AddResource function to associate a Lambda function with a REST API path. It uses the specified path as a prefix, enabling the association of the Lambda function with all subpaths under that prefix.
gateway.AddResource("/example", handler)
Authorizer IAM
The library supports integration with AWS IAM to authorize incoming requests. This integration ensures that only authenticated and authorized principals can access the resources and functionalities provided by your Lambda functions. By leveraging AWS IAM policies and roles, the library enforces fine-grained access control, enhancing the security of your API endpoints.
api := scud.NewGateway(stack, jsii.String("Gateway"),
&scud.GatewayProps{}
)
// Using the IAM authorizer requires specifying a principal or role.
role := awsiam.NewRole(/* ... */)
api.NewAuthorizerIAM().
AddResource("/example", handler, role)
You can still access API with curl even with IAM authorizer is used.
curl https://example.com/petshop/pets \
-XGET \
-H "Accept: application/json" \
-H "x-amz-security-token: $AWS_SESSION_TOKEN" \
--aws-sigv4 "aws:amz:eu-west-1:execute-api" \
--user "$AWS_ACCESS_KEY_ID:$AWS_SECRET_ACCESS_KEY"
Authorizer AWS Cognito
The library supports integration with AWS Cognito to authorize incoming requests. This integration allows you to manage user authentication and authorization seamlessly. By utilizing AWS Cognito, you can implement robust user sign-up, sign-in, and access control mechanisms. The library ensures that only authenticated users with valid tokens can access your API endpoints, providing an additional layer of security and user management capabilities. The integration of AWS API Gateway and AWS Cognito is well documented in the official documentation. This pattern facilitates the deployment of this configuration by simply providing the ARN of the user pool and specifying scopes to protect your endpoints.
api := scud.NewGateway(stack, jsii.String("Gateway"),
&scud.GatewayProps{}
)
// Cognito pool has to be pre-defined
api.NewAuthorizerCognito("arn:aws:cognito-idp:...").
AddResource("/example", handler, "my/scope")
Authorizer JWT
The library supports integration with Single Sign On provider (e.g. Auth0) to authorize incoming requests using JWT tokens. This integration allows you to leverage external identity providers for user authentication, ensuring secure and seamless access to your API endpoints. By validating JWT tokens issued by the SSO provider, the library ensures that only authenticated users can access your resources. Additionally, this setup can support various SSO standards and providers, enhancing flexibility and security in managing user identities and permissions.
api := scud.NewGateway(stack, jsii.String("Gateway"),
&scud.GatewayProps{}
)
api.NewAuthorizerJwt("https://{tenant}.eu.auth0.com/", "https://example.com").
AddResource("/example", handler, "my/scope")
HowTo Contribute
The project is MIT licensed and accepts contributions via GitHub pull requests:
- Fork it and clone
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Added some feature') - Push to the branch (
git push origin my-new-feature) - Create new Pull Request
git clone https://github.com/fogfish/scud
cd scud
go build
go test
License
References
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AssetCodeGo ¶
AssetCodeGo bundles lambda function from source code
func NewFunctionGo ¶
func NewFunctionGo(scope constructs.Construct, id *string, spec *FunctionGoProps) awslambda.Function
NewFunctionGo creates Golang Lambda Function from "inline" code
Types ¶
type AuthorizerIAM ¶ added in v0.8.0
type AuthorizerIAM struct {
constructs.Construct
RestAPI apigw2.HttpApi
// contains filtered or unexported fields
}
func (*AuthorizerIAM) AddResource ¶ added in v0.8.0
func (api *AuthorizerIAM) AddResource( endpoint string, handler awslambda.Function, grantee awsiam.IGrantable, ) *AuthorizerIAM
Associate a Lambda function with a REST API path. It uses the specified path as a prefix, enabling the association of the Lambda function with all subpaths under that prefix.
Protect access to resource only for AWS IAM principals.
type AuthorizerJwt ¶ added in v0.8.0
type AuthorizerJwt struct {
constructs.Construct
RestAPI apigw2.HttpApi
// contains filtered or unexported fields
}
func (*AuthorizerJwt) AddResource ¶ added in v0.8.0
func (api *AuthorizerJwt) AddResource( endpoint string, handler awslambda.Function, accessScope ...string, ) *AuthorizerJwt
Associate a Lambda function with a REST API path. It uses the specified path as a prefix, enabling the association of the Lambda function with all subpaths under that prefix.
Protect access to resource only for principals with valid JWT token.
type FunctionGoProps ¶
type FunctionGoProps struct {
*awslambda.FunctionProps
SourceCodeModule string
SourceCodeLambda string
GoEnv map[string]string
GoVar map[string]string
}
FunctionGoProps is properties of the function
type Gateway ¶
type Gateway struct {
constructs.Construct
RestAPI apigw2.HttpApi
// contains filtered or unexported fields
}
func NewGateway ¶
func NewGateway(scope constructs.Construct, id *string, props *GatewayProps) *Gateway
NewGateway creates new instance of Gateway
func (*Gateway) AddResource ¶
Associate a Lambda function with a REST API path. It uses the specified path as a prefix, enabling the association of the Lambda function with all subpaths under that prefix.
func (*Gateway) NewAuthorizerCognito ¶ added in v0.8.0
func (gw *Gateway) NewAuthorizerCognito(cognitoArn string) *AuthorizerJwt
Creates integration with AWS Cognito to authorize incoming requests. This integration allows you to manage user authentication and authorization seamlessly. By utilizing AWS Cognito, you can implement robust user sign-up, sign-in, and access control mechanisms. The library ensures that only authenticated users with valid tokens can access your API endpoints, providing an additional layer of security and user management capabilities.
func (*Gateway) NewAuthorizerIAM ¶ added in v0.8.0
func (gw *Gateway) NewAuthorizerIAM() *AuthorizerIAM
Creates integration with AWS IAM to authorize incoming requests. This integration ensures that only authenticated and authorized principals can access the resources and functionalities provided by your Lambda functions. By leveraging AWS IAM policies and roles, the library enforces fine-grained access control, enhancing the security of your API endpoints.
func (*Gateway) NewAuthorizerJwt ¶ added in v0.8.0
func (gw *Gateway) NewAuthorizerJwt(iss string, aud ...string) *AuthorizerJwt
Creates integration with Single Sign On provider (e.g. Auth0) to authorize incoming requests using JWT tokens. This integration allows you to leverage external identity providers for user authentication, ensuring secure and seamless access to your API endpoints. By validating JWT tokens issued by the SSO provider, the library ensures that only authenticated users can access your resources. Additionally, this setup can support various SSO standards and providers, enhancing flexibility and security in managing user identities and permissions.
type GatewayProps ¶ added in v0.7.0
type GatewayProps struct {
*apigw2.HttpApiProps
Host *string
TlsArn *string
}
type GoCompiler ¶ added in v0.6.0
type GoCompiler struct {
// contains filtered or unexported fields
}
func NewGoCompiler ¶ added in v0.6.0
func (*GoCompiler) SourceCodeLambda ¶ added in v0.6.0
func (g *GoCompiler) SourceCodeLambda() string
func (*GoCompiler) SourceCodePackage ¶ added in v0.6.0
func (g *GoCompiler) SourceCodePackage() string
func (*GoCompiler) TryBundle ¶ added in v0.6.0
func (g *GoCompiler) TryBundle(outputDir *string, options *awscdk.BundlingOptions) *bool
Source Files
Directories