AWS re:Invent 2019: [REPEAT 2] Building APIs from front to back (SVS402-R2)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good morning all right two of you are here I'm happy about that man this is the day this is the morning after replay you guys are awesome how many y'all went to replay excellent how many I went to bed at 9 o'clock at night so you want to be alert for this session alright good liar but okay I appreciate that hey my name is Eric Johnson I'm losing my voice I apologize so mmm if I cough in your ear I it's gonna be there I don't know how to stop it so I am a senior developer advocate for AWS and today we're gonna be talking as you saw there and pop that back we're gonna talk about building api's from front to back and I'll get a little more into that a little bit this is who I am again you can follow me on twitter at edj geek I will warn you I do I talk a lot about service but I'll style about my family Pizza Y pepperoni shouldn't be on pizza die Dr Pepper Dr Pepper all kinds of things so it's good with the bad that's that's the forewarning I'm thrilled you're here I know it is an early morning it is also an early morning for me and it's I was like wow okay this is really cool I'm glad you guys are here so I have been a server this tooling automation geek since I can remember I got into service when it started in 24 2014 and and I absolutely adore it so I'm glad you're here I'm a Software Architect I've better solutions or software architects since 1995 I actually started as a designer I was a horrible designer horrible if you give me a picture I could recreate it I knew the tools if you gave me a white canvas and said design something cool it'd still be a white canvas two hours later I probably mad at you so I switched over to architecture design I'm a music lover I was a drummer started as a drummer who's gonna be a professional drummer turns out I'm a really really good drummer for one finger but I'm fairly average in real life but nobody was gonna pay me to do it professionally so I had to do something else now there's a couple rules while I'm talking it's gonna help a lot rules is probably an overstatement more like guidelines anybody know the rules anybody see me speak okay a couple of you all right sorry for the repeat but everybody needs to know right so here are the rules first off this is any number I want it to be okay good you're awake I'm glad so I'll hold this up and I may say seven I may say 42 I may say 33 I may say one but it's this is any number I want it to be I can get to four if I take my shoes off but it gets real awkward for everybody all righty these are quotes not apostrophes I know that I do this it looks a lot better than this okay like he's doing a body I'm not doing a bunny unless I am it's contextual you have to figure it out but it never fails someone else comes in doesn't hear the rules and I do this you know the other day I was working and they're like it's waving at us I'm not waving at to you unless I am the last ruler these are thumbs my actual college ID was okay it was kind of funny so I do this a lot I hold these thumbs up I hope that helps out I will make one finger jokes I'm completely comfortable with it I was born this way I did not wake up for the first time this way this morning if I did I would not be here with you okay I'd be somewhere coping right okay also again I make one for your jokes if that makes you uncomfortable I am also comfortable with that so either way I'm good all right let's jump in here kind of set some expectations tell you what we're looking at here all right so we're gonna be talking about AP is on on a DWI so how do we build one this is gonna have some code in it obviously this is a 400 session so we're gonna give us some deeper things I'm gonna be coding if you came here to see me build like a node or Python like an express API or something like that that's not what we're gonna be doing what I'm gonna be doing is I'm gonna be doing the infrastructure you can write the code to talk to an API I'm gonna be working and writing the infrastructure and how do you build an API from front to back now I do have a client that I'll show you I designed it it's horrible but it's there you can look at it and so so that's kind of that I want to level set those expectations we're gonna climb into you really it's gonna be kind of API gateways kind of star of this show we're gonna climb into the deep technologies and security in the cashing in the throttling and all those kinds of things of API gateway and I hope you come out of here going okay I need to look at some of that stuff and now I kind of know how it works all right so like I said if you're not familiar with Amazon API gateway it's a fully managed API gateway service so when you're using server list this is pretty much our go-to for api's right sometimes you might use something else like an alb in front of it if you use a server list you might look at our new services we just released is HTTP API and here's the things to evaluate real quick when you're thinking about this if you're using API gave anybody using API gave it right now okay good all right if you're using API gateway simply to proxy eight lambda you might be paying too much okay we'll edit that out of the video later right okay good so if you're simply just pricing a lambda then you might be paying too much one of the things about API gateway is it has so many features and powers that you can use that make its value that we try to tell you the units it's not just for passing information you know you can do all kinds of things if you are doing that and you don't need if I show you a bunch of stuff today and you go you know what I don't need all that then look at HTTP API the new service that we just released it's gonna run it's gonna do that simple proxying roughly 70 percent cheaper okay so take a look at that alright so looks like it hopefully like I said this is a 400 level so you kind of have an understanding of API gateway and what it is we're not gonna we're gonna climb into a lot of that but just real quick I'll give you an overall structure sometimes when I show this slide people go whoa I'm out of here that's complex the idea behind this is I want you to think about when you think about API gateway you think about what talks to API gateway and what does API gateway talk to right so there's two sides an API there's the front end and there's the back end and the front end we can have regional we can have edge edge optimized or we can have private API so and those are kind of like they say regional is just gonna be electing the US west or something like that now it doesn't mean that you have to be in US was to get it it just means that if you're across the world you can have a more latency if you have an API that you're running that's that's global that you know your client sells global then you want to look at edge optimized all right excuse me or a private one which means you can only get to it through VP sees all right and then on the backside with API gateway you can hit AWS services obviously or wouldn't make much sense to us right or you can hit stuffing like privately V PC in V PC or to your on-premise staff or a V PC link and a lot of people don't realize this any other HTTP endpoint on the web okay so you're able to actually put this and if you have an HTTP endpoint you're consuming a service that you have to deal with throttling and caching and you can't and you have to do it for multiple customers and you want and you don't want to deal with it there you can drop an API gateway in front of it and handle it all right there so very powerful all right there's six ways you can control IP or you could control you can manage API gateway there's the management console obviously you can go right into the console and you'll see a lot of that today some of the stuff I'm doing today in fact everything I'm doing today you can do three either Sam and open API combined but I'm gonna do a lot of it in the console because it makes a little more sense and you can see it you can get it oh okay I get that switch I get that trigger okay you can do it today to be a CLI if you're writing your scripts to script to the CLI you could use able to be a Sam Sam you're gonna see a lot today I've built most of this in Sam okay so if you're not familiar with what Sam is anybody using seam now okay couple of you how many are using cloud formation now okay so Sam is an abstract that sits on top of cloud formation it is a CloudFormation template but we have specific service resources that are that are in Sam when you run it when you deploy a Sam template it actually deploys to cloud formation and it goes through what we call a transform okay and the cool thing about it is with Sam I can build that I can build the function I think let me show you here real quick I have it on screen I can show you I could need 20 lines of code and it'll build a function and I am roll an API gateway and a dynamodb all there so when I do this I get this all right so that's so if you haven't looked at Sam and your building service i heavily encourage you to do that if your building service and you're not using some kind of framework I really encourage you to do that don't do it by hand and cloud formation for service is not the first go-to I would look at Sam one our partners service framework different things like that so a general idea I'm gonna go back for a real quick second you'll notice here I'm building the function and then I'm adding it right in the function I'm adding an I am role and this role is called DynamoDB read policy and this is a private or I'm sorry this is an AWS managed policy and I can pass at a table name so right off the bat I have lease privileges going on okay it's the next thing is I'm building out and I want you this is what I want you to see is the event so if you if you know anything about server lists anytime we do service it has to have an event to trigger that's I mean if you wanted to find some service really simply it's like something happens the lambda goes okay something happened and then it does something I mean that's kind of servile it's in you know just service for dummies I guess which is for me right so you have to understand that every time we true we have a lamb that we have to have an event that triggers it right so here I'm saying the type is API and the path is products and then we do a product ideas as a path parameter and the cool thing is the same as smart enough to go okay you put API there I'll build an API gateway for you and we're done okay so again I do that and I get this alright so let's look at what we're gonna build today we got a lot to cover I'm going pretty quick so bear with me hang on we're gonna do a little story today I want you to meet some friends of mine this is Angus and Ellie that's exactly what they look like pretty proud of that they have four fingers figured it'd be a little weird to do one finger we're like how does this apply so anyway they're newly married couple right now they're named Angus and Ellie because I tried to name our kids Angus in Ellie and my wife said I'm not happening so I named my characters of my story Angus and Ellie I have five kids I got to name the first three or partially no I didn't my I was overridden and and then I didn't get to name the last two either so I named the characters of my story all right so back to our story here so meeting Cinelli their newly married they want to keep track of each other their budding developers right hey we're developers we want to learn how to do this we want to build it ourselves and we want it to be secure obviously you know we don't we don't want everybody know what we're doing and we want to use service because service rocks right okay so here's what we're designing yes I designed that no I'm not a bit available for hire okay you're like we have to get him all righty so basically it's very simple they enter their device at me see like anguses phone where they are fell asleep on the couch that'll be me and then it does it does a message I'm sorry then it does a timestamp in an ID and all the stuff in the back side okay so phase one we're gonna break this down of phases okay phase one we're gonna build a basic family website all right so what does that look like on AWS service these are the services that I would generally use any front-end developers in here all right back in developers full stack developers right we're really all of everything nowadays right so here's a couple things here's how I break this down okay for our kind of our back-end we're gonna use API gateway obviously that's our API we're gonna use lambda for compute we're gonna use dynamo DB for our storage for our hosting of our client I'm using amplify console if you've not looked at amplify console I really encourage you to okay so all I have to do it's powered by Amazon CloudFront Amazon s3 and it uses lame dead edge and all I have to do is I open up amplify console I create a new application I pointed to the repository being github or code commit that my client is sitting in and I have a CI CD process okay it's gonna it's pretty good it knows if it's angular a react or view Jas or whatever or or I can customize the build steps and then every time I commit to that it's gonna build out on the website client I can use custom domain I can use rewrites there's some testing procedures in there very powerful you don't have to use and this gets a little confusing you don't have to use the amplify CLI or the amplify framework to use amplify console so if you're just a silly ass imp that came out wrong if you're just building a simple website I almost say if you're just a simple developer there's no such thing as that right if you're just building a simple website you can use this it's very powerful all right so let's look and see what we're doing switch this over here all right I have two good sign everybody read that can you may not read that all right good my old eyes would but have a hard time so what you're looking at here is the Sam template for the very first phase that we're gonna build okay now I've already deployed this template okay because this is pretty simple so I'm just gonna kind of walk you through it real quick so you know what we're looking at all right so first thing I've got is I'm passing in I've got a Global's I'm passing in some function settings this whole thing is node J s12 I am a node developer some would argue that but I think I am and then I'm passing my Handler and then I'm setting my cores right here okay how many all love cores all right excellent I'm telling you and I said this is a session the other day if cores had a face I'd punch it in the nose all right if you're not familiar force is cross-origin resource scripting or something like that I'm not sure if that's exactly it but I'm pretty sure that's what it means so basically it's a browser security that you have to pass some information for one a browser on one domain to talk to a different domain an API gateway can handle that for you won't climb into that too much right now but just kind of get an idea there now I'm also declaring my API now remember on my previous example I actually declared the API in the function but because we're gonna add some more settings and I want to get real granular with my API I'm gonna declare it independently and that works just the same and you'll notice that my function here I'm using the same syntax the only thing I'm adding is I'm saying hey tie this to the existing API that I just built I'm sorry the API that's in this template that's separate and finally this is my DynamoDB table look at all that code I had to do I was up all night coding that to build that dynamodb table okay very simple it's called a simple table and all it does is it brings up a DynamoDB table with an ID is a hash or a key if you're not familiar with that and it's dynamic capacity all right so I've built that out let me show you what that looks like on API gateway okay so this is the console an API gateway and it's real simple I've got my git I've got my options that's what that cores do does it build out and built up my options this hopefully if you're working api's you understand what a pre-flight check is an options things like that and you hate cores as passionately as I do all right and then I've got my post I notice there's this big glaring thing it says authorization none okay so what that means is any old person could pop up their postman and they can hit Send on this and they can get the data that's in there okay so this so I'm using postman let's post something else so in this I'm just gonna pass a raw JSON string and Ellie is at home she's ordering pizza and looky there we have built with that Sam temple that I showed you we have built an API you may go nerves kick that obviously isn't enough right we got to do some more work on this but you kind of get the idea here that very quickly with Sam and infrastructures code if you go anywhere else any other cloud and the other primitive stuff like that use infrastructure as code okay that's that's it's it's a way to be to build out to version and all that kind of stuff so all right let's go back here a quick review obviously that wasn't a lot of code if you're like me and said all he's concerned no we're gonna get heavy into it okay but just kind of do this so we built this alright so we've got our client we've got our API gateway that's not the real domain I'm just using whatever when it's pumping out I got a get function I got a post punch I got a records table and we're good okay I told you I'd show you this is what that this is what amplify console looks like very cool all right I can attach to multiple stages for testing things like that so this is an amplified console session but I would tell you to check it out if you can all right so we have phase 2 now this is what we're gonna get into the meat of things oK we've built an API front we've started it okay but like I showed you anybody if you were to jump on your phone and I were to give you that API you could start pumping data in there I'm not gonna do that because I don't need weird stuff coming up here you guys give me a heckling me digitally you know so so now you need to look at securing and optimizing the family website now a couple of things this isn't an exhaustive list it's actually pretty close I mean we're we're covering a lot of things but there's a lot of ways to do security there's a lot of ways to lock down but I'm gonna show you some some of the primary ways we're gonna look at a ssin and authentication with Cognito we're gonna be throttling resource policies aw swath what a Web Application Firewall and we're gonna do data modeling okay we're not covering caching cloud front that doesn't mean because I don't think you should use them I absolutely think you should use them but because we're live coding and it takes a cloud for a distribution roughly 20 minutes to update it would slow us down a bit this would need to be a five hour session okay which I I like me but I wouldn't even sit with me for five hours okay so so we're not gonna do those but they're pretty easy to set up or you can add more if you do cloud like edge optimized it's gonna do it automatically right alright so let's first of all and they're walking steps and then I'm going to take you and we're gonna deploy it and you're gonna see it so first introduce authentication and authorization anybody build their own authentication system was that fine yeah yeah that's probably not funny sometimes it has to happen right one of these you can do we have a service called kognito and it does a lot of different things but one of primary things that does that creates a user pools you can have a user pool where I can have users go in and they create their username password its login different things like that you could do federated IDs - like Facebook or something in Amazon and the cool thing here is then it makes it very simple and cognitive will actually host your login pages if you want it to you can do it through an API so they never leave your site or you can do that click to login it pops it over to their page and login and and here's the process you click to login it pops over to their page it you do the authentication there and then it takes you back to your original site and it passes a token and then your site takes that token verifies it against kognito and gets credentials back Orwell JWT back ok then every time you call the API you pass that token and and the cool thing is with the kognito authorizer which you'll see in a minute they that has all the keys it needs to verify your existence or your validity maybe there's a better way security alright you exist all right so very quick authentication process so it and you'll actually see that in my demo something I'll show that in a minute so all right so the second thing we're gonna do is throttling so you better work with throttling all right I encourage you to evaluate your throttling story all right I'm gonna tell you why first of all I explain throttling real quick you may not I mean probably not I mean it's pretty apparent throttling less keep him from getting overwhelmed right I'll explain how it works an api gateway on api gateway throttling is handling a four stages okay the first one is the account level so we're gonna kind of go from from four three two one alright so what it does is in the account level you have 10000 RPS requests per second at a 5,000 burst that is an account standard and it's shared across all your API is in the in that region okay it's a count level but it's in a region so you get 10,000 RPS per region ok so if I have 17 api's in there they're sharing 10,000 here's a tip if you don't need your API is in the same same account spread them out in accounts doesn't cost you any more than you get more RPS okay alright so work the system alright we'll edit that out later that I said work the system alright so that's what happens now here's a fun thing let me explain the bursts okay so what the burst means I have 10,000 but I've got a 5,000 burst that means in the first millisecond that exact millisecond if I were to get 5,000 hits I can handle that that's the burst API game is gonna go no problem if in that first millisecond I get 5,000 won somebody's gonna go whoa what happened it's gonna kick that one out right however if they were to call it the next millisecond and on through the rest of the second we can handle another 5,000 that makes sense so I've Holst a whole second you get 10,000 but at one millisecond the best you can do is 5,000 all right it's still pretty good that's a lot of data now the fun part of that is the good news is that's a soft limit okay you can go to 80 bits limits you can have that raced excuse me once again alright so the second way we do this we do throttling is that a method okay so in here you can go in and you can say we're gonna set we're gonna say if I'm at the method of cars so hit my API forward slash cars force us whatever at that method or I could say forward slash star all my methods I want to break that down and this is at the API level to maybe 2000 with the 1000 burst okay because I don't want this API to kill my other API is in that account or I want to be able to manage some of that okay the third way we do it is now through what we call a usage plan or client level so if you let's say you have a bunch of services that are hitting yours and they're really chatty they're just pounding away okay they post a lot they get a lot and and you don't want it to keep your users your humans from being able to get to the API so you can set them up with an API key that ties it to a usage plan and you can say you use this and you can throttle based on just that usage plan so per client you can also get more granular in the fourth one and you could say per client per method okay so you can see how it's getting more granular as you go right so I could say a great example is like I've got a system that I need it to be able to read constantly from me but I don't want it to post a bunch because my down stream can't handle it I'm not running service so to speak I'm running maybe ec2 instances or the legacy system that can't handle that downstream I could actually say alright I get you can have so if you're in the data plan you go on all your gets you can do 3000 per second but I want your posts to be at 1,000 per second now that may not be the best way to protect your downstream probably would be better to tie that into a queue so you they they don't actually get rejected just make it asynchronous but if you had to do that you could do that okay now the thing about this is while I explained it four three two one API gateway is going to evaluate at one two three four so it's gonna look at the per client per method first that it's gonna go to the client then it's gonna look at your method and it's gonna look at your mouth or your account or your region fun fact is at the method level or something like that you can set a 15,000 or 20,000 or 92 bazillion thousand but you're only gonna get 10,000 okay you can't override the account so so as you're going into the account level you can't override that however you can raise it to the limits again so so we're gonna add throttling today see how that works I encourage you if you're like you know Eric we don't get a lot of traffic I still encourage you to understand your throttling story because as you start getting more traffic because that's our goal is to get more traffic right we build applications like look we never want to get more than 5,000 we're happy with that good is the enemy of great you know what I mean and so but you're like hey as we plan ahead this doesn't cost you anything this is this just cost you the time to plan it and good management okay so for thought so think about your throttling story alright the next thing we're gonna look at is resource policies now resource policies are great for limiting access to your API ok so so I could say just to say IP desking get here or everybody but this IP address can get here some blacklisting whitelisting just this VPC just this account just this organization okay so you can set your principle multiple principles on who can reach this and you can set your target on what they can get to so it's a really handy way especially if you got you have cross count it's 8:30 month over Friday morning cross account traffic right you can control that and this is part of API gateway okay you're not having to add a wife we are going to talk about wife but wife as an extra service this is done right at the API gateway level the plus and con of that is where the pro and con is it's part of the API if you change it you have to deploy your API not a huge deal takes API gateway roughly seven seconds to deploy but if you're in a panic mode and you know you have a lot of managing a black black listing a white listing you need to do things like that you can also look at a laugh okay a wife is gonna give you a lot of power okay you can do sequel injection test you can do you know again back to the black listing white listing and if my wife is it's basically bolted on right to the API gateway that's technical term we bolted on if a guy comes up right so it's right in front of it okay and the in actual every time an API gets a request it's gonna forward out to the till wife verify the rules and then and then act accordingly and if it's if it fails the rules it gets booted never gets past API gateway if it if it passes the rules then it gets in think about this is if you go if you take let's say I build the API gateway I deploy it with a wife attached to it then if I go in and make a change to change than a wife I don't have to deploy its instantaneous I just have to save the change okay it's very quick also gives you more ability to break things okay do it on a Friday night all right so that's a WEP and you'll see examples of this the last thing we're gonna do in this particular phase is data modeling okay now here's an interesting thing a lot of people don't think data modeling at the AP at the API level yeah absolutely you don't have to but it's a possibility and I want you to think about why how would that help so first of all this is out works okay so we think about I set up an object so here's my schema that I'm gonna do and I'm using G I'm just validating strings but you can do regex in this you can you can say hey it has to be a URL it has to be or whatever here's the here's the honest truth I am pathetic at regex I'm not gonna lie to you and so if I put regex up there you'd all be snickering at me right now so I just did string but you can't you can do regex and I have I was in Copenhagen three weeks ago and I demoed something where I built a full URL shortener using just API gateway and DynamoDB no Lam does no caching or anything and it was really cool I did it all API gateway I did a lot all my validation here things like that because you know the world needs another URL shortener so but I will tell you is wicked fast very fast very effective all right so how this works is and you see the different patterns we've got here which one was a match our first one matches because it has all three and they're all strings our second one matches because we really only require device type and location I don't have to have Matt I'm sorry the second one does not match how's it going our second one does not match because it does not have the required location okay third same so on you can see the patterns here so here's why this really can matter to you let's say if you look at it at lambda pricing okay lambda pricing is a million invokes per month for free and then 400 or the land of free tier 400 400 thousand gigabytes of a memory for free you get a lot for free with lambda but let's say you get 10 million hits per month okay pay for that so huge but it's out there let's say 1 million of that or 2 million of that is bad data let's say you're using some some clients that may or may not have the right stuff so think about this if I'm validating at the API level which they have to hit the API anyway an API kicks it out if it's bad data if it doesn't match the required payload that I'm never invoking that lambda I'm saving roughly 20 or 10 to 20 percent on my lambda cost simply by validating now that's probably kind of an extreme story hopefully not you know 20% of your clients aren't don't have the wrong package you might want to value with your clients but you get the idea of saving that and it can be managed in infrastructures code as templates all right so let's leave some code let's do this so this time we're actually gonna deploy okay so first of all we're gonna go over our template I'm using cloud 9 by the way if you're wondering what ID I'm using I love cloud 9 it's easy I could bring it up on any machine my machine was actually giving me grief this morning I was gonna have to borrow one of yours but I did get it up and running so alright so first of all we're gonna do a deploy okay so let's go I've got this in check out phase 2 okay and that's not gonna work because I'm not in the folder let's go CD yes back in let's do that again alright so change the phase to I don't know why I spelled out phase 2 I could have done P 2 this gives me all the opportunity to fat-finger right in front of you I have two fingers I'm the worst fat finger in the face of the planet okay alright so I have a long deploy process you ready there we go I'm done okay now this is not a CI CD I'm deploying right for my account and I know I'm not done there's still some work going on but we've just updated the CMC Ally that you can do deploy is very simple what it's going to do is it's going out it's actually gives it here it created a change set for me and now it's actually deploying the change set and giving me status while that's going I'm going to show you the template show you what I did I'll pop back to that screen for those of you want to take a picture of it ok so the first thing we're doing right here line 31 as I madelung that well it starts at 28 I'm adding the throttling okay I'm setting a method level in the method settings and I'm saying for every method and every resource path now remember I can I can get you some pattern matching on this but I'm saying for all of them I want to add a throttling rate limit of 2000 with a throttling bird limit of 1,000 okay so that's how I add throttling not terribly hard is it right right in searches cards pop it in okay the second thing I'm gonna do is I'm adding my authorizer okay so I'm saying in auth I'm gonna use an authorizer them and this is my logical name that's just what I call it so it knows what it means and then because I pass it a user pool Arn it knows I'm building Cognito and I'm using a kognito authorizer now where did that come from I actually have another template here this templates the magic template this guy builds out a full kognito authentication system including the hosting the custom domains all that kind of stuff I've had a ton of people ask me for this I'll give you t for ten bucks that's not true here's what's gonna happen if you follow me on Twitter later later this this sometime in December I'm gonna open-source all this and we do that for free obviously I'm gonna put it out where you can get at it you can run this and it actually exports I'll show you real quick here down at the bottom it exports the user pool ID that I need okay so over here in this one I actually grab that value okay so that's I'm using import exports past that okay so the next thing I'm doing is I'm adding my resource policy okay and I'm using the IP range blacklist so I'm saying if you happen to be and I'm picking this IP just out of out of the air which would be hysterical if it's my IP and then nothing works and I can't explain it to you which I'm always paid cuz I would be the guy to pick that IP unless there were money on it then I couldn't come close to it so I don't gamble here for my my wife has forbidden it so anyway so this sets up a blacklist that says if you're on this IP gets blocked out I can do a whitelist I can do this I can do a range of IPs but I feel like that's really test that's that's risk in it you know alright and then the last thing I'm adding is a model okay so the model here like I showed here the required amount the different properties and what they should be I'm sorry I was the last thing this is how I'm declaring the laugh okay so how this works start at the bottom this is the Geo list is a specific type of rule base or geo match set that I'm building the rule that implements that geo match set and finally I'm building the web ACL that ties in that rule and the way that works is you can put multiple rules to this web ACL okay so you can add those and remove those so the last thing I want to show you is right down here on my git function I did actually add the authorizer okay now that means that now that I've built that authorizer out now I want you to use that authorizer to validate the users coming in all right you can add an authorizer and not do anything with it okay and the reason for that is is because we want to say hey I'm gonna use it on this function and this function but this bunch I want them to be able to come through or I might use a different authorized on another function alright so you do different things okay so let's look at see if my build worked it did so if you want to take a picture that that's the actual status where it's coming through and it's done two things it's gone through all the statuses and then its output any values that I wanted to know okay one of them was the I get the API out of this one all right so let's go look and see what that did now notice it doesn't look different here's where you want to do a refresh okay I learned that the hard way it doesn't always it doesn't always check to see if that's changed in the background you don't do refresh first thing I'll pull your attention here is now my authorization set doesn't say none that's a good thing right now it says hey you're using a kognito user pools authorizer so let's see what that does to our client so I'm gonna go over to postman I'm gonna hit Send and I'm now locked out all right I have no I have no way to get to that because I'm not logged in so let's go to my client again I'm not out for hire but this is a suite design all right now watch what happens when I hit login it's taking me to a different domain now all these domains are really ugly you can do custom domains on API gateway I just didn't for this alright so now I go over here here's my login screen you can customize this as well I'm gonna sign in and it takes me back to my site I'm logged in oh hey that's a unhappy error that we've got going on let me refresh that oh there it is yeah it's just now it's gonna stay logged out latency on our website or latency and our internet here is a little painful so bear with me let's log you in one more time it is all right we'll let that update this time okay so what that little delay you're seeing is my sites actually verifying that token and our Internet is pretty slow here right now so bear with me okay so now you see I've got data coming down whoo it's working all right okay now here's a cool thing we're gonna open my cut console here review page source and up oh that's how what I wanted I'll blow this up a little yeah y'all can see that all right okay so I'm gonna do an inspect here but this part I do not believe I can blow up I'm gonna try oh I totally lied to you once again all right so in our network here I'm gonna do and we may have to keep it small to see it you can see data flowing yeah that's gonna be too big for you to see if one second here okay you can see it down there you don't need to have to be able to read everything but you can see the data coming in okay so now I can go over one of the things I can do that under the application I can grab the token that I need because we're gonna want postman to work for us I know this isn't a postman class but just so you know you can do this you can actually use this token that doesn't look long enough let me check that yeah that's not long enough okay I didn't get it already yeah it looks long enough all right let's update that bad boy all right so now if I go here I'm now authorized on here so I can use my credentials to test okay and this is easier sometimes you go to your client all right so now we've got this work is let's see what our changes did past that so the first thing I'm going to show you is check our time here is our the throttling so let's go back to API gateway now throttling it's done the one I did is done at a stage level so if you looked at the staging I have two stages now I'm doing all my work in production okay that's because I never make mistakes I don't suggest you do this all right or he'll nobody cares you know if this goes down but yes I'm just pushed into production so I could test this but notice this is set to ten thousand five thousand because that's the default they're all gonna come in that way right however if I go to my pride it's 2,000 1,000 okay here's a fun thing let's go to one one I'm gonna save the change and here's the thing since I'm changing the API gateway I need to deploy the changes okay and you're gonna see me to make a change and not deploy the changes and it's your job as a concerned audience to yell deploy the changes idiot okay you don't have to do the idiot part but sometimes I'll be like why doesn't that work so there you go so you have to deploy the changes so now that I've got that out there let's look at our network here and I'm gonna click on this as fast as I can okay you see how I'm getting let me scroll down see those 49s that means that I did over one per second that I said it at it's a EPI gateway said nope you're out so that's just proof the throttling works all right so let's go back to that real quick I'm going to set that back because that'll causes a lot of problems later and I'm gonna save it before I deploy it I'm gonna show you one other part we'll deploy it all together I'm going to show you the resource policy now this is what was created now notice we just did a couple of lines we just said IP blacklist that's it Sam was smart enough or cold cloud or cloud formation or the you know the little gerbils inside someone said alright you got it for these resources based on the pattern everything I'm gonna lock it down and how this works is it says because it's a black that says everybody is explicitly allowed and then I'm gonna deny with the condition of this IP address that is two four or five four whatever okay so that's how it works but what if I go in here so right now my site's working doesn't effect anything but what if I go in here and deny everything and say allow just this IP okay so let's deploy those changes beyond the resources to do it all right and I'm deploying again I always deployed a prod and I do it on Fridays okay we're gonna apply it here and let's refresh this okay now it's gonna take a second I'm getting some to hundreds there we go now I'm locked out completely and now I'm not getting a four to nine I'm getting a 403 you don't have access to this you're blocked out okay so that's easy to do so that's a real quick way and it's embedded it's embedded in thank you it's embedded in your API gateway deploys as part of your stages right and it's at a stage level so you might have different things for different areas all right show a couple more things let's go to let's set first of all let's set our resource policy back okay because I didn't I did not guess the IP right shocking okay all right so we're gonna set that we're gonna save that the other thing we're gonna do is we're going to attach the the waffe that I created and these appear so I called the family protector web and we're going to and you can actually go right here and create it if you wanted to so I'm going to save that and I'm going to deploy okay now right now I have it set so that you have if you saw that and let me pop in real quick so you can see it I'm using the classic whap right now so now notice though there's there's nothing there I'm using a regional API so I need to switch to the regional area and I'll see my whack so there's a family protector wife okay here's the rules that are using okay the family geo blocker and now it's in the geo list so here's the thing here this filter you see how it's working it's saying you have to be in the United States to get to my website so let's go to my website refresh this a couple times we're getting data all is well okay so let's say I want to go into the wife and I say you know what let's add another filter another country because this is a Geo blocker and we're gonna say great go GB there we go United Kingdom there we go I'm gonna add that okay now immediately I go over here it's an and so we're good however if I go in here and I say now we're gonna delete this filter now watch how fast this takes effect I'm gonna get a couple clicks in it's gonna work fine and now I'm out okay a little faster now you see I have a couple of to hundreds cuz it has to propagate everywhere but now I'm completely tied down okay 403 so you may say to yourself when do I use a resource policy when do I use a wife start with the resource policy okay unless you need a little bit quicker changes deployments are pretty quick but I'm using a pretty small API here right so if you have bigger stuff that you need to do look at resources policy first because it's built in as part of API gateway right if it's not handling if you need more complex ruling if you need more complex filtering didn't look at a wife okay alright so let me take that off and we're gonna do a couple more things here let's add the filter back in country actually you know what I'm gonna do is I'm just gonna remove the wife for now so I'm gonna go in here I'm gonna set this to none okay my wife is still out there because maybe I'm using it on another one I'm gonna deploy this broad and our site should start working again here we are yes okay beautiful alright so last thing I want to show you is the filtering okay on how that works so remember I said we've got a model called a device data and there it is that came in from what I built in the structure if I go over my resources I haven't applied it as a filter yet so I'm gonna apply it to one of my resources so I'm gonna go in and I'm gonna say in my post cuz I don't care i'ma gets cuz it's data's already there but on my post I want to apply and this is in the method request I'm gonna say first of all I'll show you the body's already existing it's tied to the content-type application JSON and I'm gonna say validate the body check that okay there we go yeah I hit it twice so everything's okay there all right so let's go ahead and deploy this goodness gracious all right so now this is deployed let's go back to let's go back to postman I've got another one here where I'm gonna use the body notice my body is the house and the device type is 1 2 3 4 5 6 I'm gonna hit Send and hopefully are late and see well there you go and this worked this is fine ok because it passes our validation but what if I go in and I say device type string now watch how fast this response okay I get an invalid request body this never made it past API gateway all right I didn't have to do any business logic at my at my function alright so again this is a great way to do some validation it has I'm not gonna lie to you sometimes it's a little odd you know ok that's in re pair gateway we're amazing that in templates but it's a good way to look at it alright so we have built out phase 2 let's jump back over now we're gonna get kind of fun or I think it's fun but that's why my wife calls me a geek so here's what we did it may be kind of hard to read but you saw it in my screen but you're welcome to snap a picture of that here's what here's how it came out alright so we added a resource policy we added a laugh we added throttling we ought to we added validation we add an authentication our sites pretty secure now and it's fairly optimized because we've stopped we've stopped different going to land if it didn't have to right but as all projects do we've got to change in requirements the scope has creeped on us a little bit guess what happened meet Rufus and Beatrice all right also names I didn't get to use all right new family members we have the same goals for them we want to know where they are okay we need a simple device they're not gonna be great at putting in we just want to be automated so meet Scott the ugly phone my name is Scott cuz that's my brother's name and he'll see this video at some point so that's just a poke at him all right so Scott is a simple phone location service but Scott's a little chatty okay his job is to say Here I am Here I am Here I am Here I am Here I am we don't want to pound our API gateway we don't want a billion in folks so what are we gonna do we're gonna add a usage plan okay we're gonna limit how much Scott talks to us if this worked in real life that would be awesome okay I love my brother I have to say that all right so the API key allows devices to connect to API and data plan throttles connections right so now you can do that the second problem with this is the simple phone cannot modify the outgoing payload it has one payload it doesn't match what we have with the one we're using so if we have our data validation in place it's going to get kicked out every time right so what we need to do is change it so we're gonna transform the data okay so currently we want device type location a message but what it sends is device ID and geo Court okay so we're gonna get we're gonna need a transform the state of it we need to ask ourselves where do we want that to happen well we could do it here but again we have our data validation to worry about all right or we can do it here so not only can you validate the schema you can modify the schema alright so let's look at how we do that okay what we do is we have our input here we're gonna use what's called a mapping template it uses VTL Apache BTL which is velocity templating language and it will change what we know what we have on our input we know have our output and this is a mapping template this isn't the exact one we're gonna use I actually modified it a little in the code and I'll explain it when we see it okay then what we have to do is we have to start about totalement blank there from it what I have to do is have to decide okay we know how to use mapping templates is there more we can deal with mapping template so this is where it gets kind of fun and this harkens back to what I was talking about what I built in Copenhagen is do we really need this now think about what this is doing his job is he's taking the request from the client from the API gateway and he's remaking the request he's calling he's doing an SDK call or an API call against DynamoDB to get the data and then he's returning it he's not doing anything magical he's just transporting the data okay my boss actually my boss's boss a guy named a Jane Eyre a real smart guy he made this statement he says use lambda functions to transform not transport okay why pay for the invoke if you don't need it so we're gonna get rid of that lambda and we're gonna just talk to dynamodb directly and I'm actually gonna book it it kind of looks like this as we come through we get to get we get the post and we use this and then coming back we're also gonna transform our data where we where it comes out to where the client can read it alright so let's do this and I am gonna go pretty quick and I apologize timewise I probably read a little long here so all right so first thing we're gonna do is we're going to change phases so get again don't know why name type to stall the way up but there we go oh thank you thank you well what if I get it wrong and you see it alright we'll switch the screen okay all right there we go so I did that now I'm gonna do Sam deploy just like I said okay well that's going I'm gonna show you the template here's the changes I made in the template okay first of all I added a new endpoint entirely new function however I'm pointing it to the same codebase alright so I'm creating a new function it's pointing to the same codebase I'm the only reason I'm doing that is because I want to create a new path called IOT that's where I want my might Scott the silly phone to talk to okay that's first thing I did it's got the authorization and in my authorization I'm requiring an API key okay next thing I'm doing is I've got added my usage plan so the way I do is I declare an API key I declare a usage plan that I tie them together with the usage plan key finally the last thing I'm doing is adding a roll now remember when we originally created this we said that DynamoDB is called lambda lambda Skol I'm sorry API gateways called lambda lambda Scala DynamoDB API gateway has the rights to invoke lambda lambda has the rights to invoke dynamodb API gateway does not have the rights to invoke your DynamoDB until I give it the rights and I here is where I give it alright so let's see if this deployed it did and now we're gonna get busy so let me do a refresh on this to make sure I've got everything here all right so the first thing we're gonna do is now you see we have a new API and this is the post and I'm gonna go to the integration request right now it's a proxy it's just all all API gateway is doing is passing the information back and forth I'm gonna turn that off and it's saying okay well you can do that and now I have some more options the options I care about right now are the mapping templates and I'm gonna add mapping template okay lucky for you and me in the world I have copied these mapping tour I have these mapping templates available to me because you wouldn't want to see me type all this out okay so this is what the mapping template looks like and I'll show to you in in the screen here so bear with me okay so if I go down here I'm gonna blow this up so you can see it hopefully this big enough all this is is this is a body let's see if I can blow that up a little more okay lambda expects a string of five body that's what land to expect so that's what I'm creating but you can see in here I'm setting device type to the device ID that's coming in and location to the geo cord that's coming in I'm using the path indicators to grab that data so we're gonna save that okay so let's test this real quick so all I got a deal I've got some test data that we'll do here okay so this is an example of how the device will get passed in so let's go down to the body paste that test it and I get an error but that's okay I was expecting that because the API gateway is not approxi need more we got to tell the kind of response is going to have and we got a 200-foot DynamoDB it did its job so we can go back to the method response and we add a 200 we tell it okay is where we do we also need to say what kind of headers are gonna get passed back and in this one the one we care about and I'm gonna grab it because I always get it reversed in my head okay it's called the access and this is core stuff so it's okay if you low that control allow original okay so we're gonna pass this back and so spell that right API gateway knows that now notice I'm not setting a value here and the reason I'm not is because it's actually set in the integration okay so the so the reason that is because you may want to set it from your code behind the scenes from Lam there something like that right now I'm setting it to star that is not the most secure way of doing it but we're gonna do that because we're not using real domains anyway now if I test let's do a test here and I got back ok so I've now done change that data how it should map and now it's coming back to me now I don't care what this looks like because of these are dumb devices and I'm not sending anything back to them so I'm gonna leave that alone alright so next thing we're gonna do we set into our get is we're gonna get rid of the lambda here okay now right now we said we're using a lambda function proxied we're gonna change this we're gonna say AWS service when you do that you have to set the region which is uswest to use what I'm working about you tell the done of the service and I want to scroll down here for a minute because I want you to see the vast amount of services that you can integrate with directly ok a lot of them so we're gonna go DynamoDB now I'm gonna do a post you're like whoa you're doing a get-well DynamoDB always expects a post ok that's just how it works because it's gonna do axon whatever you're doing so I'm gonna do a post here's where I tell it if you've worked with dynamodb api I'm gonna tell it we're gonna do a scan ok all we're doing is grabbing all the data now remember I said we need permissions to do that so I have this I actually created the right role for that I said we need not resources the outputs here's the role that I'm using to create tool allowed API gateway to talk directly to get the right tab dynamodb ok there's the role I'm gonna save that do ok now in this one here's what the mapping template looks like again if you've ever used the SDK this should look real familiar to you because all you're really doing it to do a scan is we have to say and I'll explain that pop-up that just popped up in a second but to do a scan all we have to do is say this is the table name so pop over here will do the table name we'll save it that window that popped up all it was saying is hey when do you want me to pass data to the back end anyway when no template matches the request content when there are no templates defined or never if I don't have a template defined I want it to pass to my back in and it could deal with a lot or I could just reject it if I want to but that's the window that was popping up all right so let's go back here now we already we already discussed the that now we have to declare this I'm not gonna do that so and I'm gonna I want to add the header for the moment just for time but we going to test here now let's see what we get this is a get heading directly we're getting data to see how fast I got the data right so talk directly to it so the last thing we're doing we got the data but it's not data that we can really use it's not what our client wants sorry in our integration response I'm gonna do a mapping template application JSON and the last mapping template I'm going to use you can tell use alt tab a lot okay is this now this guy here I'll explain him when we get it in there all right let me blow that up a bit his job is to set a variable input route and he's going to set it to the input path that grabs all the variables okay or all the data then he's gonna loop through the items in the input route and he's gonna say device type will match element device type dot string or dot a switch that's how the date that I'm gonna be David it looks okay then the last thing he does says if there's more at a comma if there's not then get rid of it okay so he actually loops through all the data any for point format so how we want to let's bring that down size was a bit now let's test it and see if I know what I'm doing I really hope I do and I need to hit the right hand side I didn't hit test sorry there we go let's go down here there it is okay guys my scroller seems to be jumping on me here there we go test now we have data that matches what our client is looking for okay and that's it we've just built an API front to back let me let me flip this back over real quick here we're running on time but here's what we did okay I would take this that's really small hard to read but like I said if you follow me on twitter I'll be open sourcing this a little later this month okay we built this out and we got rid of the get function right you know now we just talk directly to the records table some final thoughts real quick like I said these are the things we've covered and and and you know we've covered a lot going on here I really challenge you to start implementing these as much as you can and we did most of it was Sam we did it with the infrastructures code one of the fun things is if things get complicated and it's a little more than your understanding build it in the console first and then in the stage you have the ability to export the SD or export the content as a swagger or open API file okay this is kind of that if you if you're looking for more training we have the ABI BS training and finally thank you I appreciate you guys and I hope you have this last day so enjoy the day so thank you if you can hear your feedback what can we do better what do we do great you guys I hope you enjoyed reinvent have a good week
Info
Channel: AWS Events
Views: 9,665
Rating: undefined out of 5
Keywords: re:Invent 2019, Amazon, AWS re:Invent, SVS402-R2, Serverless, Amazon API Gateway
Id: cc_pKfDOH2E
Channel Id: undefined
Length: 62min 38sec (3758 seconds)
Published: Tue Dec 10 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.