The latest articles on Forem by Oliver Cole (@olivercole). https://forem.com/olivercole https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F21307%2Fa026b827-b1ef-4ab4-b0a9-f732558e11d0.jpeg https://forem.com/olivercole en Oliver Cole Wed, 19 Jul 2017 21:19:02 +0000 https://forem.com/olivercole/terraforming-aws-a-serverless-website-backend-part-3 https://forem.com/olivercole/terraforming-aws-a-serverless-website-backend-part-3 <p><em>This is part three of my article series on using Terraform to build a serverless backend in AWS. Check out <a href="https://dev.toterraforming-aws-a-serverless-website-backend-part-1">part one</a> to get started.</em></p> <h2> Mailgun </h2> <p>Remember that Terraform supports a wide variety of cloud providers, and you can mix them together to produce the design you want.</p> <p>The code we're deploying uses Mailgun.</p> <p>We've already got the Mailgun API key configured as a Terraform variable - let's add an SMTP password to <code>terraform.tfvars</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mailgun_smtp_password = "hunter2" </code></pre> </div> <p>And then we can setup everything up in <code>terraform.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">variable</span> <span class="dl">"</span><span class="s2">mailgun_smtp_password</span><span class="dl">"</span> <span class="p">{}</span> <span class="nx">provider</span> <span class="dl">"</span><span class="s2">mailgun</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">api_key</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${var.environment_configs[</span><span class="dl">"</span><span class="nx">mail_api_key</span><span class="dl">"</span><span class="s2">]}</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">mailgun_domain</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">serverless</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${var.environment_configs[</span><span class="dl">"</span><span class="nx">mailgun_domain_name</span><span class="dl">"</span><span class="s2">]}</span><span class="dl">"</span> <span class="nx">spam_action</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">disabled</span><span class="dl">"</span> <span class="nx">smtp_password</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${var.mailgun_smtp_password}</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>This is a good moment to touch on arguments and attributes - all the values you configured, like <code>spam_action = "disabled"</code>, are <strong>arguments</strong> - just like calling constructors or functions in other languages.<br> <strong>Attributes</strong> are values on the resource that exist once it is created - for example an assigned IP address or URL, just like an instance property in other languages. We used it earlier when creating the <code>aws_kms_alias</code> for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">target_key_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_kms_key.LambdaBackend_config.key_id}</span><span class="dl">"</span> </code></pre> </div> <p>The <code>mailgun_domain</code> resource provides two <strong>attributes</strong> for the DNS records you need to create in order for Mailgun to send and receive email for your domain. There are two ways you can get this setup.</p> <h4> Manually setup Mailgun DNS records </h4> <p>The first way is simply to output the DNS records from Terraform and apply them manually at your DNS provider.</p> <p>Back when we setup the SSM Parameter Store entries for our Lambda function, we used variables - specifically input variables that were passed from our <code>terraform.tfvars</code> file and onwards into <code>ssm_parameter_map.tf</code>. Terraform also supports <a href="https://www.terraform.io/intro/getting-started/outputs.html">output variables</a> - either from modules like <code>ssm_parameter_map</code> or from our 'root' <code>terraform.tf</code> module.</p> <p>Add these output variables to output the DNS records from the deployed <code>mailgun_domain</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">output</span> <span class="dl">"</span><span class="s2">send</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${mailgun_domain.serverless.sending_records}</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">output</span> <span class="dl">"</span><span class="s2">receive</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${mailgun_domain.serverless.receiving_records}</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>Then just <code>terraform apply</code> and the required DNS records will be shown at the end of the run. (If that didn't work - what might you have forgotten to do?) </p> <h4> Setup Mailgun DNS records using Terraform </h4> <p>Alternatively, at this point you probably know enough Terraform to try setting up the DNS records automatically! Terraform supports a variety of DNS providers, including <a href="https://www.terraform.io/docs/providers/aws/r/route53_record.html">AWS</a> (you might consider using <a href="https://github.com/samstav/tf_mailgun_aws">this module</a>), <a href="https://www.terraform.io/docs/providers/dme/index.html">DNSMadeEasy</a>, <a href="https://www.terraform.io/docs/providers/dnsimple/index.html">DNSimple</a>, <a href="https://www.terraform.io/docs/providers/cloudflare/index.html">Cloudflare</a>, <a href="https://www.terraform.io/docs/providers/dyn/index.html">Dyn</a> and generic <a href="https://www.terraform.io/docs/providers/dns/index.html">RFC 2136 access</a>.</p> <p>If you aren't using anything more than your domain registrar's default settings, AWS has worked well for me personally, but does incur a small charge.</p> <p>Make use of the <code>sending_records</code> and <code>receiving_records</code> attributes mentioned above to setup your provider, and make sure you've run <code>terraform apply</code> before proceeding. If you need to work with the list of records or adjust the format of any strings, check out the <a href="https://www.terraform.io/docs/configuration/interpolation.html">interpolation documentation</a> for details.</p> <h1> Test Lambda </h1> <p>You can test your Lambda function by heading to the Lambda console, and using the test event:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="dl">"</span><span class="s2">body-json</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">email=user%40domain.com</span><span class="dl">"</span><span class="p">}</span> </code></pre> </div> <p>Alternatively, you can do this on the command line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws lambda invoke --function-name LambdaBackend --payload "{ \"body-json\": \"email=user%40domain.com\"}" out.txt </code></pre> </div> <p>Either way, you should receive an email at that address, and the result should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="dl">"</span><span class="s2">errorMessage</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email.MovedPermanently : Redirecting.</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">errorType</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://your/redirect/URL</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">stackTrace</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">redirect (/var/task/index.js:50:19)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/var/task/index.js:111:20</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">transporter.send (/var/task/node_modules/nodemailer/lib/mailer/index.js:187:21)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/var/task/node_modules/nodemailer-mailgun-transport/src/mailgun-transport.js:149:9</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Request.finalCb [as callback] (/var/task/node_modules/nodemailer-mailgun-transport/node_modules/mailgun-js/lib/request.js:99:12)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">IncomingMessage.&lt;anonymous&gt; (/var/task/node_modules/nodemailer-mailgun-transport/node_modules/mailgun-js/lib/request.js:313:17)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">emitNone (events.js:91:20)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">IncomingMessage.emit (events.js:185:7)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">endReadableNT (_stream_readable.js:974:12)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">_combinedTickCallback (internal/process/next_tick.js:80:11)</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">process._tickDomainCallback (internal/process/next_tick.js:128:9)</span><span class="dl">"</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The Lambda function returns an error for reasons you will see later.</p> <p>If your function isn't working, take a look at the Cloudwatch logs for your function.</p> <h1> API gateway </h1> <p>Now that the function is working within AWS, we need to hook it up to the API gateway to expose it to the outside world.</p> <p>This section sets up logging from the API Gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_account</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">gateway</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">cloudwatch_role_arn</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_iam_role.cloudwatchlog.arn}</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_iam_role</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">cloudwatchlog</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">cloudwatchlog</span><span class="dl">"</span> <span class="nx">assume_role_policy</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="nx">EOF</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Version</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Statement</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Sid</span><span class="dl">"</span><span class="p">:</span> <span class="dl">""</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Effect</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Principal</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Service</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">apigateway.amazonaws.com</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sts:AssumeRole</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">EOF</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_iam_policy_attachment</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">cloudwatchlog</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">cloudwatchlog</span><span class="dl">"</span> <span class="nx">roles</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">${aws_iam_role.cloudwatchlog.name}</span><span class="dl">"</span><span class="p">]</span> <span class="nx">policy_arn</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>This section sets up the actual API, resources and integrations. There are also Terraform modules available for this if you want to go down that route.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_rest_api</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">service</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">BackendService</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_resource</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">api</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">parent_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.root_resource_id}</span><span class="dl">"</span> <span class="nx">path_part</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">api</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_resource</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">parent_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_resource.api.id}</span><span class="dl">"</span> <span class="nx">path_part</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_method</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">post</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">resource_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_resource.email.id}</span><span class="dl">"</span> <span class="nx">http_method</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span> <span class="nx">authorization</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">NONE</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_integration</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">integration</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">resource_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_resource.email.id}</span><span class="dl">"</span> <span class="nx">http_method</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_method.post.http_method}</span><span class="dl">"</span> <span class="nx">integration_http_method</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">AWS</span><span class="dl">"</span> <span class="nx">uri</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">arn:aws:apigateway:${var.region}:lambda:path/2015-03-31/functions/${aws_lambda_function.LambdaBackend_lambda.arn}:$${stageVariables.alias}/invocations</span><span class="dl">"</span> <span class="nx">passthrough_behavior</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">WHEN_NO_TEMPLATES</span><span class="dl">"</span> <span class="nx">request_templates</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="nx">EOF</span> <span class="err">##</span> <span class="nx">See</span> <span class="nx">http</span><span class="p">:</span><span class="c1">//docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html</span> <span class="err">##</span> <span class="nx">This</span> <span class="nx">template</span> <span class="nx">will</span> <span class="nx">pass</span> <span class="nx">through</span> <span class="nx">all</span> <span class="nx">parameters</span> <span class="nx">including</span> <span class="nx">path</span><span class="p">,</span> <span class="nx">querystring</span><span class="p">,</span> <span class="nx">header</span><span class="p">,</span> <span class="nx">stage</span> <span class="nx">variables</span><span class="p">,</span> <span class="nx">and</span> <span class="nx">context</span> <span class="nx">through</span> <span class="nx">to</span> <span class="nx">the</span> <span class="nx">integration</span> <span class="nx">endpoint</span> <span class="nx">via</span> <span class="nx">the</span> <span class="nx">body</span><span class="o">/</span><span class="nx">payload</span> <span class="err">#</span><span class="kd">set</span><span class="p">(</span><span class="nx">$allParams</span> <span class="o">=</span> <span class="nx">$input</span><span class="p">.</span><span class="nx">params</span><span class="p">())</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">body-json</span><span class="dl">"</span> <span class="p">:</span> <span class="nx">$input</span><span class="p">.</span><span class="nx">json</span><span class="p">(</span><span class="dl">'</span><span class="s1">$</span><span class="dl">'</span><span class="p">),</span> <span class="dl">"</span><span class="s2">params</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="err">#</span><span class="nx">foreach</span><span class="p">(</span><span class="nx">$type</span> <span class="k">in</span> <span class="nx">$allParams</span><span class="p">.</span><span class="nx">keySet</span><span class="p">())</span> <span class="err">#</span><span class="kd">set</span><span class="p">(</span><span class="nx">$params</span> <span class="o">=</span> <span class="nx">$allParams</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="nx">$type</span><span class="p">))</span> <span class="dl">"</span><span class="s2">$type</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="err">#</span><span class="nx">foreach</span><span class="p">(</span><span class="nx">$paramName</span> <span class="k">in</span> <span class="nx">$params</span><span class="p">.</span><span class="nx">keySet</span><span class="p">())</span> <span class="dl">"</span><span class="s2">$paramName</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$util.escapeJavaScript($params.get($paramName))</span><span class="dl">"</span> <span class="err">#</span><span class="k">if</span><span class="p">(</span><span class="nx">$foreach</span><span class="p">.</span><span class="nx">hasNext</span><span class="p">),</span><span class="err">#</span><span class="nx">end</span> <span class="err">#</span><span class="nx">end</span> <span class="p">}</span> <span class="err">#</span><span class="k">if</span><span class="p">(</span><span class="nx">$foreach</span><span class="p">.</span><span class="nx">hasNext</span><span class="p">),</span><span class="err">#</span><span class="nx">end</span> <span class="err">#</span><span class="nx">end</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">stage-variables</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="err">#</span><span class="nx">foreach</span><span class="p">(</span><span class="nx">$key</span> <span class="k">in</span> <span class="nx">$stageVariables</span><span class="p">.</span><span class="nx">keySet</span><span class="p">())</span> <span class="dl">"</span><span class="s2">$key</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$util.escapeJavaScript($stageVariables.get($key))</span><span class="dl">"</span> <span class="err">#</span><span class="k">if</span><span class="p">(</span><span class="nx">$foreach</span><span class="p">.</span><span class="nx">hasNext</span><span class="p">),</span><span class="err">#</span><span class="nx">end</span> <span class="err">#</span><span class="nx">end</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">context</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">account-id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.accountId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">api-id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.apiId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">api-key</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.apiKey</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">authorizer-principal-id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.authorizer.principalId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">caller</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.caller</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cognito-authentication-provider</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.cognitoAuthenticationProvider</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cognito-authentication-type</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.cognitoAuthenticationType</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cognito-identity-id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.cognitoIdentityId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cognito-identity-pool-id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.cognitoIdentityPoolId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">http-method</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.httpMethod</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">stage</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.stage</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">source-ip</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.sourceIp</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.user</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">user-agent</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.userAgent</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">user-arn</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.identity.userArn</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">request-id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.requestId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">resource-id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.resourceId</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">resource-path</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">$context.resourcePath</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">EOF</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_method_response</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">301</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">resource_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_resource.email.id}</span><span class="dl">"</span> <span class="nx">http_method</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_method.post.http_method}</span><span class="dl">"</span> <span class="nx">status_code</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">301</span><span class="dl">"</span> <span class="nx">depends_on</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">aws_api_gateway_integration.integration</span><span class="dl">"</span><span class="p">]</span> <span class="nx">response_parameters</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">method.response.header.Location</span><span class="dl">"</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_integration_response</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">default</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">resource_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_resource.email.id}</span><span class="dl">"</span> <span class="nx">http_method</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_method.post.http_method}</span><span class="dl">"</span> <span class="nx">status_code</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_method_response.301.status_code}</span><span class="dl">"</span> <span class="nx">selection_pattern</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">^Email.MovedPermanently.*</span><span class="dl">"</span> <span class="nx">response_parameters</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">method.response.header.Location</span><span class="dl">"</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">integration.response.body.errorType</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">aws_api_gateway_integration.integration</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_deployment</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">deploy</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">aws_api_gateway_method.post</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">aws_api_gateway_integration.integration</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">aws_api_gateway_integration_response.default</span><span class="dl">"</span><span class="p">]</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">stage_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${terraform.env}</span><span class="dl">"</span> <span class="nx">variables</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">alias</span><span class="dl">"</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${terraform.env}</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_api_gateway_method_settings</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">settings</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">rest_api_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_rest_api.service.id}</span><span class="dl">"</span> <span class="nx">stage_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_deployment.deploy.stage_name}</span><span class="dl">"</span> <span class="nx">method_path</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_resource.api.path_part}/${aws_api_gateway_resource.email.path_part}/${aws_api_gateway_method.post.http_method}</span><span class="dl">"</span> <span class="nx">settings</span> <span class="p">{</span> <span class="nx">metrics_enabled</span> <span class="o">=</span> <span class="kc">true</span> <span class="nx">logging_level</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">INFO</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_lambda_alias</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">alias</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${terraform.env}</span><span class="dl">"</span> <span class="nx">function_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_lambda_function.LambdaBackend_lambda.arn}</span><span class="dl">"</span> <span class="nx">function_version</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">$LATEST</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_lambda_permission</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">invoke</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${terraform.env}Invoke</span><span class="dl">"</span> <span class="nx">action</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">lambda:InvokeFunction</span><span class="dl">"</span> <span class="nx">function_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_lambda_function.LambdaBackend_lambda.arn}</span><span class="dl">"</span> <span class="nx">principal</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">apigateway.amazonaws.com</span><span class="dl">"</span> <span class="nx">source_arn</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">arn:aws:execute-api:${var.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.service.id}/*/${aws_api_gateway_method.post.http_method}/${aws_api_gateway_resource.api.path_part}/${aws_api_gateway_resource.email.path_part}</span><span class="dl">"</span> <span class="nx">qualifier</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${terraform.env}</span><span class="dl">"</span> <span class="nx">depends_on</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">aws_lambda_alias.alias</span><span class="dl">"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Back when we setup the SSM Parameter Store entries for our Lambda function, we used variables - specifically input variables that were passed from our <code>terraform.tfvars</code> file and onwards into <code>ssm_parameter_map.tf</code>. Terraform also supports <a href="https://www.terraform.io/intro/getting-started/outputs.html">output variables</a> - either from modules like <code>ssm_parameter_map</code> or from our 'root' <code>terraform.tf</code> module.</p> <p>Add this output variable to output the path from the deployed API Gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">output</span> <span class="dl">"</span><span class="s2">invoke_url</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_api_gateway_deployment.deploy.invoke_url}/${aws_api_gateway_resource.api.path_part}/${aws_api_gateway_resource.email.path_part}</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>When you <code>terraform apply</code> you will get the value of the variable printed at the end of the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Outputs: invoke_url = https://api_id_here.execute-api.eu-west-1.amazonaws.com/default/api/email </code></pre> </div> <h1> Test API </h1> <p>Now your Lambda function is exposed as an API.</p> <ol> <li>Start up Postman, and enter the value from invoke_url as your URL.</li> <li>Change the method to <code>POST</code> </li> <li>On the Body tab, set the type to <code>x-www-form-urlencoded</code> </li> <li>Add the key <code>email</code> and the target email address as the value.</li> <li>Hit Send!</li> </ol> <p>Postman should follow the redirect to your configured URL, and you should receive the email in your inbox. Congratulations!</p> <h1> Mayhem and destruction </h1> <p>If at any point you want to tear down the configuration of these services at AWS and Mailgun, you can simply run <code>terraform destroy</code> and confirm when asked. Your <code>terraform.tf</code> file will be unaffected.</p> <p>DynamoDB provisioned throughput does incur a running cost for example, so you may wish to consider doing this when you have completed the article series.</p> <h1> Next steps </h1> <p>Rob's <a href="http://robsherling.com/jbytes/index.php/2017/01/08/serverless-backends-with-aws-cloud-intro/">original article</a> goes on to add much more functionality, and make use of additional AWS services. However, you probably don't need to know any more about Terraform to do so, so I am going to pause the article series here to gather some feedback. If enough people find this useful I will finish the series.</p> <p>Please let me know in the comments if you have any questions or comments, and especially if you found this useful!</p> terraform aws serverless backend Oliver Cole Wed, 19 Jul 2017 21:18:49 +0000 https://forem.com/olivercole/terraforming-aws-a-serverless-website-backend-part-2 https://forem.com/olivercole/terraforming-aws-a-serverless-website-backend-part-2 <p><em>This is part two of my article series on using Terraform to build a serverless backend in AWS. Check out <a href="https://dev.toterraforming-aws-a-serverless-website-backend-part-1">part one</a> to get started.</em></p> <h2> Data sources and encryption </h2> <p>Next up is a new concept: data sources. These allow you to pull in data from other external sources at runtime.<br> At the end of part one, we added this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">data</span> <span class="dl">"</span><span class="s2">aws_caller_identity</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">current</span><span class="dl">"</span> <span class="p">{}</span> </code></pre> </div> <p><a href="https://www.terraform.io/docs/providers/aws/d/caller_identity.html"><code>aws_caller_identity</code></a> allows you to get the AWS user ID of the account, and it's used in constructing policy documents and ARNs, using exactly the same interpolation as before:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_kms_key</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">LambdaBackend_config</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">description</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">LambdaBackend_config_key</span><span class="dl">"</span> <span class="nx">deletion_window_in_days</span> <span class="o">=</span> <span class="mi">7</span> <span class="nx">policy</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="nx">POLICY</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Version</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Id</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">key-consolepolicy-3</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Statement</span><span class="dl">"</span> <span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Sid</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Enable IAM User Permissions</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Effect</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Principal</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">AWS</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:iam::${data.aws_caller_identity.current.account_id}:root</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">kms:*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Resource</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Sid</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Allow use of the key</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Effect</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Principal</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">AWS</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">${aws_iam_role.LambdaBackend_master_lambda.arn}</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span> <span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">kms:Encrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kms:Decrypt</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kms:ReEncrypt*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kms:GenerateDataKey*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kms:DescribeKey</span><span class="dl">"</span> <span class="p">],</span> <span class="dl">"</span><span class="s2">Resource</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Sid</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Allow attachment of persistent resources</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Effect</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Principal</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">AWS</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">${aws_iam_role.LambdaBackend_master_lambda.arn}</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span> <span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">kms:CreateGrant</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kms:ListGrants</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">kms:RevokeGrant</span><span class="dl">"</span> <span class="p">],</span> <span class="dl">"</span><span class="s2">Resource</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Condition</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Bool</span><span class="dl">"</span> <span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">kms:GrantIsForAWSResource</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">true</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">POLICY</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_kms_alias</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">LambdaBackend_config_alias</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">alias/LambdaBackend_config</span><span class="dl">"</span> <span class="nx">target_key_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_kms_key.LambdaBackend_config.key_id}</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>When we create some configuration for the service we'll be encrypting it - these resources allow us to do that!</p> <p>You can <code>terraform apply</code> all of that.</p> <p>Terraform is pre v1.0 software, and the <code>aws_kms_key</code> resource can sometimes throw an error. If this happens, just <code>terraform apply</code> again, and keep an eye on <a href="https://github.com/terraform-providers/terraform-provider-aws/issues/245">this issue!</a></p> <h1> Application config </h1> <p>Now we're going to define some configuration for our Lambda function. It's good practice to separate application code and configuration, and it's even better practice not to check the latter into source control. We're going to store our configuration using the AWS EC2 Systems Manager, known as SSM, and in the process going to learn about Terraform variables and modules.</p> <p>We're going to be storing our configuration in the SSM <a href="https://aws.amazon.com/ec2/systems-manager/parameter-store/">Parameter Store</a>. This is a key-value store useful for simple configuration strings, API keys and passwords - and it's free! You can configure content to be encrypted with the keys we just created, and control access to it with the IAM policies we also created.</p> <p><a href="https://www.terraform.io/language/values/variables">Variables</a> in Terraform work in a similar way to most programming languages. You declare them in the code, possibly with a value, and then you retrieve the value with the <code>${var.variable_name}</code> syntax, similar to data sources above. You can also specify these variable values on the command line, or in separate files, meaning you don't have to check your secrets into source control. See <a href="https://spacelift.io/blog/how-to-use-terraform-variables">How to Use Terraform Variables</a> for more information.</p> <p>Terraform maps are similar to hashtables, hashmaps, dictionaries or similar data structures in other languages. Go ahead and define it in <code>terraform.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">variable</span> <span class="dl">"</span><span class="s2">environment_configs</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">map</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>Then you can create a new file called <code>terraform.tfvars</code> in the same directory as <code>terraform.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">environment_configs</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">site_callback</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">CALLBACK TO RETURN TO FROM LAMBDA</span><span class="dl">"</span><span class="p">,</span> <span class="nx">email_table_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">EMAIL DYNAMODB TABLE</span><span class="dl">"</span><span class="p">,</span> <span class="nx">aes_password</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">AES PASSWORD</span><span class="dl">"</span><span class="p">,</span> <span class="nx">mail_api_key</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">MAILGUN KEY</span><span class="dl">"</span><span class="p">,</span> <span class="nx">mailgun_domain_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">MAILGUN DOMAIN</span><span class="dl">"</span><span class="p">,</span> <span class="nx">from_email</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">OUTGOING EMAIL ACCOUNT</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>Some tips on the contents of the variables:</p> <ul> <li> <code>site_callback</code> - An http(s) URL.</li> <li> <code>email_table_name</code> - Just a simple table name following the <a href="http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.NamingRules">DynamoDB rules</a>, like <code>emails</code>.</li> <li> <code>aes_password</code> - A 32 character AES key. If you don't have one handy, check out <a href="https://github.com/OliverCole/serverless-backend/blob/master/keygen.js"><code>keygen.js</code></a>.</li> <li> <code>mail_api_key</code> - From your Mailgun account.</li> <li> <code>mailgun_domain_name</code> - A domain or subdomain you control DNS for.</li> <li> <code>from_email</code> - An account on that domain. Just a name, no need to set anything up - Mailgun will work regardless!</li> </ul> <p>Terraform supports the concept of <a href="https://www.terraform.io/intro/getting-started/modules.html">modules</a> - reusable collections of resources intended to work together: for example, a set of web servers and a load balancer. You can use this across multiple projects, even separating it out into separate source control or storage.</p> <p>We're going to use a simple module to turn the <code>environment_configs</code> map into entries in the SSM Parameter Store. In the same directory as <code>terraform.tf</code> create a new directory called <code>ssm_parameter_map</code>, containing a file called <code>ssm_parameter_map.tf</code>, with this content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">variable</span> <span class="dl">"</span><span class="s2">configs</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">description</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Key/value pairs to create in the SSM Parameter Store</span><span class="dl">"</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">map</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="dl">"</span><span class="s2">prefix</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">description</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Prefix to apply to all key names</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="dl">"</span><span class="s2">kms_key_id</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">description</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ID of KMS key to use to encrypt values</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_ssm_parameter</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">configs</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">count</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${length(keys(var.configs))}</span><span class="dl">"</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/${var.prefix}/${element(keys(var.configs),count.index)}</span><span class="dl">"</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">SecureString</span><span class="dl">"</span> <span class="nx">value</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${element(values(var.configs),count.index)}</span><span class="dl">"</span> <span class="nx">key_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${var.kms_key_id}</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>You will notice that this module has variables of its own, and the values get set when you call this module from your own code. For more details on the rest of the code, check out Gruntwork's article on <a href="https://blog.gruntwork.io/terraform-tips-tricks-loops-if-statements-and-gotchas-f739bbae55f9">loops and if statements</a>.</p> <p>Call your module from <code>terraform.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span> <span class="dl">"</span><span class="s2">parameters</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">source</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/ssm_parameter_map</span><span class="dl">"</span> <span class="nx">configs</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${var.environment_configs}</span><span class="dl">"</span> <span class="nx">prefix</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${terraform.env}</span><span class="dl">"</span> <span class="nx">kms_key_id</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_kms_key.LambdaBackend_config.key_id}</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>The <code>source</code> argument points to the module code, and the other arguments feed into the variables you saw in <code>ssm_parameter_map.tf</code>. <code>terraform.env</code> is currently the string <code>default</code>, but this will change later on when we delve into Terraform state environments.</p> <p>Because Terraform modules could be located anywhere, you need to run <code>terraform init</code> to pull down your copy of the module code. This is the same command you ran earlier to download the AWS provider for Terraform. It should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>λ terraform init Initializing modules... - module.parameters Getting source "./ssm_parameter_map" </code></pre> </div> <p>Then <code>terraform apply</code> as usual. Remember that you will need to run <code>terraform get</code> again if you move between machines or Git working copies.</p> <p>Terraform is pre v1.0 software, and the <code>aws_ssm_parameter</code> resources in the module can sometimes throw a <code>TooManyUpdates</code> error. If this happens, just <code>terraform apply</code> again, and keep an eye on <a href="https://github.com/terraform-providers/terraform-provider-aws/issues/1082">this issue!</a></p> <h1> Application code </h1> <p>Now we're going to put together code for our Lambda function. Once it's built and packaged for deployment, we'll switch back to Terraform and deploy it.</p> <ol> <li>Create a sub-directory called <code>email_lambda</code> </li> <li>Download <a href="https://github.com/OliverCole/serverless-backend/blob/master/email_lambda/index.js"><code>index.js</code></a> to this directory. <ul> <li>On line 8, change us-west-1 to the same AWS region you configured your <code>aws</code> provider with.</li> <li>This is our main app code</li> </ul> </li> <li>Add a file called <code>email.html</code> to this directory containing the email content. <ul> <li>If you're short on ideas, you can use this <a href="https://github.com/OliverCole/serverless-backend/blob/master/email_lambda/email.html">example file</a>. </li> </ul> </li> <li>Install the email libraries we will use with npm. Make sure to do this from inside <code>email_lambda</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install -prefix=./ nodemailer@4.0.1 nodemailer-mailgun-transport@1.3.5 aws-sdk@2.81.0 ssm-params@0.0.6 </code></pre> </div> <p>Now zip the whole directory into <code>email_lambda.zip</code>, making sure that the root of the zip file contains the files (<code>index.js</code> etc) and not a directory called <code>email_lambda</code>. It should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>email_lambda.zip ├───etc ├───node_modules ├───email.html └───index.js </code></pre> </div> <p>If you have 7Zip installed on Windows, the command would be <code>7z.exe a -r email_lambda.zip .\email_lambda\*</code>.</p> <p>At this point, your directory structure should look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>├───.terraform │ └───modules │ └───03f77d1ff66d94c49e171247a4234cd8 ├───email_lambda │ ├───etc │ └───node_modules │ ├───nodemailer │ │ └─── ... │ ├───nodemailer-mailgun-transport │ │ ├─── ... │ └───ssm-params │ └─── ... ├───ssm_parameter_map ├───email_lambda.zip ├───terraform.tf ├───terraform.tfstate ├───terraform.tfstate.backup └───terraform.tfvars </code></pre> </div> <p>Now, you can add the Lambda function to <code>terraform.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_lambda_function</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">LambdaBackend_lambda</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">email_lambda.zip</span><span class="dl">"</span> <span class="nx">function_name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">LambdaBackend</span><span class="dl">"</span> <span class="nx">role</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_iam_role.LambdaBackend_master_lambda.arn}</span><span class="dl">"</span> <span class="nx">handler</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">index.handler</span><span class="dl">"</span> <span class="nx">source_code_hash</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${base64sha256(file(</span><span class="dl">"</span><span class="nx">email_lambda</span><span class="p">.</span><span class="nx">zip</span><span class="dl">"</span><span class="s2">))}</span><span class="dl">"</span> <span class="nx">runtime</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">nodejs6.10</span><span class="dl">"</span> <span class="nx">timeout</span> <span class="o">=</span> <span class="mi">15</span> <span class="nx">publish</span> <span class="o">=</span> <span class="kc">true</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">env</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${terraform.env}</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Apply that, and carry on to the <a href="https://dev.toterraforming-aws-a-serverless-website-backend-part-3">final part</a>.</p> terraform aws serverless backend Oliver Cole Wed, 19 Jul 2017 21:18:23 +0000 https://forem.com/olivercole/terraforming-aws-a-serverless-website-backend-part-1 https://forem.com/olivercole/terraforming-aws-a-serverless-website-backend-part-1 <p><em>What if you could define all the infrastructure for your cloud application using code or text, apply your design and changes automatically, and then collaborate with your team in source control?</em></p> <p><em>That's the promise of <a href="https://www.terraform.io/" rel="noopener noreferrer">Terraform</a>, an infrastructure-as-code tool from <a href="https://www.hashicorp.com/" rel="noopener noreferrer">HashiCorp</a></em></p> <h1> Introduction </h1> <p>Rob Sherling wrote a <a href="http://robsherling.com/jbytes/index.php/2017/01/08/serverless-backends-with-aws-cloud-intro/" rel="noopener noreferrer">great article</a> on how to build a website backend on serverless infrastructure. This article will take you through the first stages of constructing Rob's infrastructure design using Terraform, and explain some Terraform concepts and rules along the way. Thanks in advance to Rob, who allowed me to write this article on top of his code and design!</p> <p>This article, like Rob's original, assumes that:</p> <ul> <li>You have an AWS account, know how to use it, and are comfortable with some small charges (though this generally fits into the free tier).</li> <li>You have the <a href="https://aws.amazon.com/cli/" rel="noopener noreferrer">AWS CLI</a> installed and <a href="http://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html" rel="noopener noreferrer">configured</a>.</li> <li>You have a domain name you can use for this project.</li> <li>You're comfortable with basic Javascript - don't worry, we will just be modifying some existing code.</li> <li>You have at least heard of the following (if not, read a bit on the ones you don’t know): <ul> <li><a href="https://aws.amazon.com/lambda/" rel="noopener noreferrer">AWS Lambda</a></li> <li><a href="https://aws.amazon.com/api-gateway/" rel="noopener noreferrer">API Gateway</a></li> <li><a href="https://aws.amazon.com/cloudwatch/" rel="noopener noreferrer">CloudWatch</a></li> <li><a href="https://aws.amazon.com/dynamodb/" rel="noopener noreferrer">DynamoDB</a></li> <li><a href="https://aws.amazon.com/kms/" rel="noopener noreferrer">KMS</a></li> <li><a href="https://aws.amazon.com/iam/" rel="noopener noreferrer">IAM</a></li> <li>The mail service <a href="https://www.mailgun.com/" rel="noopener noreferrer">Mailgun</a> </li> <li>The API tool <a href="https://www.getpostman.com/" rel="noopener noreferrer">Postman</a> </li> </ul> </li> </ul> <p>You might need more later on, but if you have the above you can build something today!</p> <p>We're going to make use of all these different services, and some application code to build an entire application. If you would prefer to just learn the basics by starting up some VMs on EC2, you may prefer David Schmitz's article on <a href="https://dev.to/koenighotze/using-terraform-for-cloud-deployments---part-1">Using Terraform for Cloud Deployments</a>.</p> <h3> So what is Terraform? </h3> <blockquote> <p>Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.</p> <p>Configuration files describe to Terraform the components needed to run a single application or your entire datacenter. Terraform generates an execution plan describing what it will do to reach the desired state, and then executes it to build the described infrastructure. As the configuration changes, Terraform is able to determine what changed and create incremental execution plans which can be applied.</p> </blockquote> <p>In other words, you describe your application infrastructure in human readable config/code, and Terraform handles all the detail of how to make that happen at your cloud provider.</p> <p>Both Terraform and CloudFormation allow you to achieve similar results at AWS, but Terraform supports many more cloud providers than just AWS, as well as letting you work with scenarios like multiple AWS accounts, or composing different cloud providers into one deployed application.</p> <h3> What are we actually building? </h3> <p>We are going to make the backend for a website to be used in a marketing campaign - it will gather Twitter handles and email addresses for potential customers, and allow you to send them messages. To be hip and modern, we're going to make the backend <em>'<a href="https://aws.amazon.com/serverless/" rel="noopener noreferrer">serverless</a>'</em> by using entirely AWS cloud services (mainly Lambda and DynamoDB) to reduce costs and maintenance.</p> <p>In part 1 of this article series, we will just tackle the initial email capture and storage.</p> <p>Here's how the main pieces plug together:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F4ndc28tq72uqtj6jtqr0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F4ndc28tq72uqtj6jtqr0.png" title="Serverless backend AWS diagram" alt="Serverless backend AWS diagram" width="714" height="282"></a></p> <h3> What do I need? </h3> <p>You'll need a few things to complete the whole series, but for part 1, all you need is the following:</p> <h4> Terraform </h4> <p><a href="https://www.terraform.io/downloads.html" rel="noopener noreferrer">Download it</a>, and place it in your PATH.</p> <h4> Postman </h4> <p><a href="https://www.getpostman.com/" rel="noopener noreferrer">Install it</a>. We'll use this to test your backend API.</p> <h4> Mailgun account </h4> <p>Sign up for a <a href="https://www.mailgun.com/" rel="noopener noreferrer">free account</a>. We'll use this to send the emails. Don't link your domain yet (if you did already, delete it). Make sure you set up some <a href="https://app.mailgun.com/app/account/authorized" rel="noopener noreferrer">authorized recipients</a> to use while testing.</p> <h4> Node.js </h4> <p><a href="https://nodejs.org/en/" rel="noopener noreferrer">Install it</a>. The infrastructure we build will also support Python, Java and C# (.NET Core), but the example code in this article series is all Node.js.</p> <h4> Optional: Text editor plugins </h4> <p>If you've graduated to something more advanced than Notepad (and you really should!), installing syntax highlighting and editor settings can make a big difference to your day:</p> <ul> <li>Atom <a href="https://atom.io/packages/language-terraform" rel="noopener noreferrer">syntax highlighting</a> </li> <li>VS Code <a href="https://marketplace.visualstudio.com/items?itemName=mauve.terraform" rel="noopener noreferrer">syntax highlighting, linting, formatting and validation</a> </li> <li>Sublime Text <a href="https://github.com/alexlouden/Terraform.tmLanguage" rel="noopener noreferrer">syntax highlighting and code snippets</a> </li> </ul> <h1> Getting started </h1> <p>As we go along I will introduce various Terraform and AWS concepts, and link to their documentation. You can lay Terraform files out in whatever order you like - I've only chosen this order to slowly introduce new concepts.</p> <h3> Setup </h3> <p>Create a new directory for this project, and a new text file in there called <code>terraform.tf</code>.</p> <p>Before we get started with setting up infrastructure in AWS, we need to tell the <a href="https://www.terraform.io/docs/providers/aws/index.html" rel="noopener noreferrer">AWS <strong>provider</strong></a> built into Terraform how to talk to the AWS API. All we need to cover for now is the <a href="http://docs.aws.amazon.com/general/latest/gr/rande.html" rel="noopener noreferrer">AWS region</a> - the provider will pick up the rest of your credentials from the AWS CLI you already configured. Don't worry too much about the variable, we'll cover that later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">variable</span> <span class="dl">"</span><span class="s2">region</span><span class="dl">"</span> <span class="p">{</span> <span class="k">default</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">eu-west-1</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="dl">"</span><span class="s2">aws</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">region</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${var.region}</span><span class="dl">"</span> <span class="p">}</span> </code></pre> </div> <p>You'll notice the code looks pretty much like config files you're used to, eg JSON or YML. You can set the region value to your nearest if you wish.</p> <p>After <strong>providers</strong>, Terraform is built around the concept of <strong>resources</strong>. Generally these correspond to 'things' on offer at your cloud provider, such as virtual machines or servers, databases, stored files, etc. Sometimes they actually refer to links or associations between two resources, or other pieces of configuration.</p> <h3> Database </h3> <p>We will start with the DynamoDB table - this has a 1:1 relationship with a Terraform resource. Add this into your <code>terraform.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_dynamodb_table</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">emails</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">emails</span><span class="dl">"</span> <span class="nx">read_capacity</span> <span class="o">=</span> <span class="mi">2</span> <span class="nx">write_capacity</span> <span class="o">=</span> <span class="mi">2</span> <span class="nx">hash_key</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span> <span class="nx">type</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">S</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Let's break this down:</p> <ul> <li> <a href="https://www.terraform.io/docs/providers/aws/r/dynamodb_table.html" rel="noopener noreferrer"><code>aws_dynamodb_table</code></a> is the resource provided by the AWS provider.</li> <li>The first <code>emails</code> is the name for this resource - but in Terraform only. You can be as generic or descriptive as you like, but like in any software development, it's good practice to be able to understand what something is by just reading the name.</li> <li>The second <code>emails</code> is the actual DynamoDB table name - you'll see this in the AWS console and refer to it in code.</li> <li>The rest of the arguments are specific to the resource - check out the docs if you want to know more.</li> </ul> <h3> Init </h3> <p>Terraform is based on a pluggable design - the components that actually talk to cloud providers and create resources are downloaded automatically and stored in your project directory. <br> So before you can call AWS, you need to tell Terraform to download the AWS provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>λ terraform init Initializing provider plugins... - Checking for available provider plugins on https://releases.hashicorp.com... - Downloading plugin for provider "aws" (1.11.0)... The following providers do not have any version constraints in configuration, so the latest version was installed. To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below. * provider.aws: version = "~&gt; 1.11" </code></pre> </div> <h3> Plan and apply </h3> <p>The next step is to let Terraform build a plan of the changes you've requested. Go ahead and run <code>terraform plan</code> - the AWS provider in Terraform will look at your current AWS setup and plan out what it needs to do to deploy your infrastructure. It should look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>λ terraform plan [...] An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: + aws_dynamodb_table.emails id: &lt;computed&gt; arn: &lt;computed&gt; attribute.#: "1" attribute.3226637473.name: "email" attribute.3226637473.type: "S" hash_key: "email" name: "emails" read_capacity: "2" server_side_encryption.#: &lt;computed&gt; stream_arn: &lt;computed&gt; stream_label: &lt;computed&gt; stream_view_type: &lt;computed&gt; write_capacity: "2" Plan: 1 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>What does this show?:</p> <ul> <li>Your new resource, <code>aws_dynamodb_table.emails</code> is shown, with all of its properties. As <code>+</code> indicates, this is a resource due for creation. </li> <li>The values marked <code>&lt;computed&gt;</code> will be assigned by AWS when the table is created. Remember this is only Terraform's plan of action, so these don't exist yet.</li> </ul> <p>By the way - if you have anything else already setup in your AWS account you will notice it does not appear here. You can mix manually managed resources with Terraform resources safely, and even multiple Terraform projects.</p> <p>At this point you can go ahead with <code>terraform apply</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>λ terraform apply An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: + aws_dynamodb_table.emails id: &lt;computed&gt; arn: &lt;computed&gt; attribute.#: "1" attribute.3226637473.name: "email" attribute.3226637473.type: "S" hash_key: "email" name: "emails" read_capacity: "2" server_side_encryption.#: &lt;computed&gt; stream_arn: &lt;computed&gt; stream_label: &lt;computed&gt; stream_view_type: &lt;computed&gt; write_capacity: "2" Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes aws_dynamodb_table.emails: Creating... arn: "" =&gt; "&lt;computed&gt;" attribute.#: "" =&gt; "1" attribute.3226637473.name: "" =&gt; "email" attribute.3226637473.type: "" =&gt; "S" hash_key: "" =&gt; "email" name: "" =&gt; "emails" read_capacity: "" =&gt; "2" server_side_encryption.#: "" =&gt; "&lt;computed&gt;" stream_arn: "" =&gt; "&lt;computed&gt;" stream_label: "" =&gt; "&lt;computed&gt;" stream_view_type: "" =&gt; "&lt;computed&gt;" write_capacity: "" =&gt; "2" aws_dynamodb_table.emails: Still creating... (10s elapsed) aws_dynamodb_table.emails: Creation complete after 14s (ID: emails) Apply complete! Resources: 1 added, 0 changed, 0 destroyed. </code></pre> </div> <p>If you get tired of typing <code>yes</code>, you can always add a <code>-auto-approve</code> flag to skip confirmation. </p> <p>You might have noticed that the table was provisioned with a throughput capacity of 2. That's probably overkill for this project, so edit <code>terraform.tf</code> to make that 1, and <code>terraform plan</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~ aws_dynamodb_table.emails read_capacity: "2" =&gt; "1" write_capacity: "2" =&gt; "1" </code></pre> </div> <p>This time around you can see that the table is due for a change (marked with <code>~</code>) - Terraform won't destroy and recreate it. Arguments changed will be shown underneath. At this point, <code>terraform apply</code> should be self explanatory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws_dynamodb_table.emails: Modifying... (ID: emails) read_capacity: "2" =&gt; "1" write_capacity: "2" =&gt; "1" </code></pre> </div> <p>If you run <code>terraform state list</code>, you will see a list of everything that Terraform manages in your AWS account. You can check <code>terraform state show aws_dynamodb_table.emails</code> to get the details of a specific resource.</p> <h1> Permissions and security </h1> <h2> IAM </h2> <p>We'll be running the backend server logic in a Lambda function, but before we build that we need to setup an <a href="https://www.terraform.io/docs/providers/aws/r/iam_role.html" rel="noopener noreferrer">IAM role</a> and attach some <a href="https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html" rel="noopener noreferrer">policies</a> to it. This will give our function permissions to access other AWS services.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">data</span> <span class="dl">"</span><span class="s2">aws_caller_identity</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">current</span><span class="dl">"</span> <span class="p">{}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_iam_role</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">LambdaBackend_master_lambda</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">LambdaBackend_master_lambda</span><span class="dl">"</span> <span class="nx">path</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span> <span class="nx">assume_role_policy</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="nx">POLICY</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Version</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Statement</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Effect</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Principal</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Service</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">lambda.amazonaws.com</span><span class="dl">"</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sts:AssumeRole</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">POLICY</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_iam_role_policy_attachment</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">LambdaBackend_master_lambda_AmazonDynamoDBFullAccess</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">role</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_iam_role.LambdaBackend_master_lambda.name}</span><span class="dl">"</span> <span class="nx">policy_arn</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_iam_role_policy_attachment</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">LambdaBackend_master_lambda_CloudWatchFullAccess</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">role</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_iam_role.LambdaBackend_master_lambda.name}</span><span class="dl">"</span> <span class="nx">policy_arn</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">arn:aws:iam::aws:policy/CloudWatchFullAccess</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="dl">"</span><span class="s2">aws_iam_role_policy</span><span class="dl">"</span> <span class="dl">"</span><span class="s2">ssm_read</span><span class="dl">"</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">ssm_read</span><span class="dl">"</span> <span class="nx">role</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">${aws_iam_role.LambdaBackend_master_lambda.id}</span><span class="dl">"</span> <span class="nx">policy</span> <span class="o">=</span> <span class="o">&lt;&lt;</span><span class="nx">POLICY</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Version</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2012-10-17</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Statement</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Effect</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">ssm:DescribeParameters</span><span class="dl">"</span> <span class="p">],</span> <span class="dl">"</span><span class="s2">Resource</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Effect</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Allow</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Action</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">ssm:GetParameters</span><span class="dl">"</span> <span class="p">],</span> <span class="dl">"</span><span class="s2">Resource</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/${terraform.env}/*</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">POLICY</span> <span class="p">}</span> </code></pre> </div> <p>There's some new syntax going on here, so let's explain:</p> <ul> <li>The <code>&lt;&lt;</code> syntax allows you to include a multi-line string or document. In this case we're using it for the <a href="http://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html" rel="noopener noreferrer">IAM policy document</a>. After <code>&lt;&lt;</code> we have <code>POLICY</code>, telling Terraform to read from that point until the next <code>POLICY</code> marker. <ul> <li>The name <code>POLICY</code> isn't special, anything will do.</li> <li>If you've ever scripted a Unix terminal, this may sound familiar.</li> <li>As you may have guessed, anything inside the angle brackets isn't for Terraform, so if you don't understand what it means, don't worry for now.</li> </ul> </li> <li>If you don't want to keep your AWS policy documents in your Terraform code, check out the <a href="https://www.terraform.io/docs/configuration/interpolation.html#file-path-" rel="noopener noreferrer"><code>file()</code> built-in function</a> to load them from disk.</li> <li>The <code>role</code> argument relies on Terraform <a href="https://www.terraform.io/docs/configuration/interpolation.html" rel="noopener noreferrer">interpolation</a>. This is a fancy way of saying it allows you to get values from elsewhere, whether that is another resource, or some static configuration. <ul> <li>If you're used to an OO programming language, think of this like accessing class members.</li> <li>All we're really doing here is making sure the policy attachment works, no matter how you name the <code>aws_iam_role</code>. This is an example of <a href="https://en.wikipedia.org/wiki/Don%27t_repeat_yourself" rel="noopener noreferrer">Don't Repeat Yourself</a>, a good practice in any language.</li> </ul> </li> <li>Don't worry about the <code>data</code> line for now - we'll cover that in part two.</li> </ul> <p>When you're happy, go ahead and <code>terraform apply</code> this, and carry on to the <a href="https://dev.toterraforming-aws-a-serverless-website-backend-part-2">next part</a>.</p> terraform aws serverless backend