AWS brought Serverless Application Model (SAM) to ease the building of the serverless application on AWS. At a high level, it is an extension of AWS CloudFormation. AWS SAM consists of two major components - SAM template specifications, SAM CLI.
In this article, we are going to talk about 5 tips to get the most out of AWS SAM templates:
Nested applications are built off a concept in AWS CloudFormation called nested stacks. Serverless applications are deployed as stacks that contain one or more other serverless application stacks.
Let's take an example. If we want to build an API made up of AWS Lambda and Amazon API Gateway, we can use AWS SAM to create Lambda functions, configure API Gateway, deploy and manage them both. Now, We want to secure this API. API Gateway has several methods for doing this. Let's say we want to implement basic HTTP Basic Auth. So, Instead of creating this functionality from scratch, we can search it in SAR.
We can review the AWS SAM template, license, and permissions provided in SAR. If it meets our requirements, just copy the SAM Template of it and put it in our application SAM template under "Resources" tag.
These applications will have a type - AWS::Serverless::Application
Now, we can check the output of this application and refer that in the main API Authorizer like below:
With this simple piece of code, we can reuse any existing code resided in SAR.
In AWS SAM template, Globals is a section to create properties common to all the Serverless Function and APIs.
All the AWS::Serverless::Function and AWS::Serverless::Api resources will inherit the properties defined here. Here is a typical example:
For example, I have a feature "Download PDF" which I want to enable only in the test environment for now and don't want to publish to Prod until business approves it. So, the flow will be that an environment value (testing/prod) will be passed as a parameter. There should be a collection object like Map which should hold the status value (on/off) for each environment. Now, logic has to be put to retrieve the status dynamically and set in an environment variable so that the application can behave accordingly.
Using SAM Parameters and Mapping tags, this can be done very easily. See below SAM template on how it is implemented.
Here !FindInMap will search DocumentEnvironment parameter value (testing/staging/prod) in DownloadPDFFeature Map and retrieve "status" field value and set it with "Download_Feature1" variable.
In SAM, we can bump-up this version by just using one property - AutoPublishAlias
AWS SAM will do the following 3 tasks behind the scene:
Apart from this, DeploymentPreference property will help to enable the canary and liner deployment strategy which ensures that if there is any problem with the newer version of the function, it can be rolled back. For example, in the above code, it is going to redirect only 10% of the traffic to the new version for 10 minutes and then keep increasing by 10% every 10 minutes. So, we can monitor the new version and rollback if any issues found.
In the above example, we have used DynamoDBCrudPolicy template which corresponds to the below IAM policy.
Using this feature we are able to reduce the complexity of the security configuration and standardize the security of Lambda Function.
In this article, we are going to talk about 5 tips to get the most out of AWS SAM templates:
1. Reuse Common Pattern using Nested Applications
As serverless architectures grow, common patterns get reimplemented across teams, and projects. This hurts the development velocity and leading to wasted effort. To avoid that, AWS has come up with nested applications in AWS SAM and the AWS Serverless Application Repository (SAR) to make these patterns shareable publicly and privately.Nested applications are built off a concept in AWS CloudFormation called nested stacks. Serverless applications are deployed as stacks that contain one or more other serverless application stacks.
Let's take an example. If we want to build an API made up of AWS Lambda and Amazon API Gateway, we can use AWS SAM to create Lambda functions, configure API Gateway, deploy and manage them both. Now, We want to secure this API. API Gateway has several methods for doing this. Let's say we want to implement basic HTTP Basic Auth. So, Instead of creating this functionality from scratch, we can search it in SAR.
These applications will have a type - AWS::Serverless::Application
Now, we can check the output of this application and refer that in the main API Authorizer like below:
With this simple piece of code, we can reuse any existing code resided in SAR.
2. Reduce Line of Code Using Globals
Serverless Architecture is all about breaking large application into smaller functions. So, if we end up having 10-20 Lambda functions for my application and we configure that in SAM template, we will notice so many Function definition under "Resources" tag.In AWS SAM template, Globals is a section to create properties common to all the Serverless Function and APIs.
All the AWS::Serverless::Function and AWS::Serverless::Api resources will inherit the properties defined here. Here is a typical example:
3. Enable a feature using SAM Parameter and Mappings
Let's suppose we want to enable a feature in our application based on the flag value set in an environment variable. It can get complicated if we want to do it based on the deployment environment like testing/prod.For example, I have a feature "Download PDF" which I want to enable only in the test environment for now and don't want to publish to Prod until business approves it. So, the flow will be that an environment value (testing/prod) will be passed as a parameter. There should be a collection object like Map which should hold the status value (on/off) for each environment. Now, logic has to be put to retrieve the status dynamically and set in an environment variable so that the application can behave accordingly.
Using SAM Parameters and Mapping tags, this can be done very easily. See below SAM template on how it is implemented.
Here !FindInMap will search DocumentEnvironment parameter value (testing/staging/prod) in DownloadPDFFeature Map and retrieve "status" field value and set it with "Download_Feature1" variable.
4. Safe Deployment using AutoPublishAlias and DeploymentPreference
AWS Lambda has Versioning and Alias feature which helps to do the increment deployment of Functions. When an enhancement happens on a function, it can be published with a bumped-up version and an Alias can point to a version which we want to expose to the consumers. Below is the example:
In SAM, we can bump-up this version by just using one property - AutoPublishAlias
AWS SAM will do the following 3 tasks behind the scene:
- Detect when new code is being deployed based on changes to the Lambda function's Amazon S3 URI.
- Create and publish an updated version of that function with the latest code.
- Create an alias with a name provided through ENVIRONMENT parameter and points to the updated version of the Lambda function.
Apart from this, DeploymentPreference property will help to enable the canary and liner deployment strategy which ensures that if there is any problem with the newer version of the function, it can be rolled back. For example, in the above code, it is going to redirect only 10% of the traffic to the new version for 10 minutes and then keep increasing by 10% every 10 minutes. So, we can monitor the new version and rollback if any issues found.
5. Enable Security using Policy Templates
For any Lambda Function, the most important thing is to define what execution it can do and who can invoke it. That's where we define the security around it. SAM has a concept called Policy Templates. Using these templates, having 2 lines of code, corresponds to a complete IAM policy that will be keyed in.
In the above example, we have used DynamoDBCrudPolicy template which corresponds to the below IAM policy.
Using this feature we are able to reduce the complexity of the security configuration and standardize the security of Lambda Function.
No comments: