getlift / lift Goto Github PK

To catch any internal change in Serverless Framework, we should run tests in CI with:

• the lowest supported Serverless version
• the latest released Serverless versions

We should probably also run tests in CI every night, to test against any new Serverless release as soon as possible.

cc @fredericbarthelet, we mentioned this together

I need to configure maximumBatchingWindow from SQS constructs.
Can you expose this property? Just like batchSize.

The scheduled CI running every night has been failing for 5 days.

This is due to https://github.com/aws/constructs/pull/771/files

This library is a dependency of CDK libraries and stopped supporting NodeJS 10 hence the failing workflow.

There's 2 solutions:

1. Dropping NodeJS 10 support
2. Restrict versions of contructs to <=3.3.156

1️⃣ seems the right move to me because restricting will mean we won't be able at some point to get updates from CDK until we eventually drop NodeJS 10.

Note that there's already been a discussion about NodeJS 10 support in the past which lead to it being supported, see #46

Let me start by saying thank you for the awesome work you have done with this project, very much appreciated.

I definitely wanted to ask you how would I enable higher throughput with the fifo queues, I'm generating about 20000 messages in a couple of seconds but then I see them eternally going one by one with my FIFO queue like in 1 day or more. I just went and enabled manually in my queues on the AWS console the high throughput slider but its not something that can hold for the long run

  ContentBasedDeduplication: Boolean
  DeduplicationScope: String
  DelaySeconds: Integer
  FifoQueue: Boolean
  FifoThroughputLimit: String
  KmsDataKeyReusePeriodSeconds: Integer
  KmsMasterKeyId: String
  MaximumMessageSize: Integer
  MessageRetentionPeriod: Integer
  QueueName: String
  ReceiveMessageWaitTimeSeconds: Integer
  RedriveAllowPolicy: Json
  RedrivePolicy: Json

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/high-throughput-fifo.html

Also, according to that documentation that will increase throughput significantly, is from my perspective that disabling the deduplication scope will increase also performance of the queue but I couldn't find any documentation that will confirm or deny my assumption. The reason for me using FIFO Queues is because the load on other resources can't tolerate concurrency:

 myconstruct:
    type: queue
    fifo: true
    worker:
      handler: handler.generator
      timeout: 120
      provisionedConcurrency: 1
    maxRetries: 3

I was wondering if it makes sense to expose AWS Cloud Formation API within the lift construct to tweak the FIFO queues depending on the use case. Also if there is a walkaround that don't require me to eject from lift.

Hi all,

Would it be possible to expose the S3 Bucket in the output of the ServerSideWebsite construct ?

Indeed, I need to adjust some behaviors of this bucket via the resources of the serverless.yml, but currently, I can only do it after a first deployment, by manually retrieving the id via the stack created :

resources:
  extensions:
    ${construct:website.bucket}:
      Properties:
        WebsiteConfiguration:
          IndexDocument: index.html

instead of

resources:
  extensions:
    websiteAssets2A73BB69:
      Properties:
        WebsiteConfiguration:
          IndexDocument: index.html

thanks for time

Hello,

Today I tried to create a webhook for Trello with the construct available in Lift. But I stumbled across an error saying that the webhook was not returning a 2xx response code. After some testing, I found out that Trello was sending a GET request on the endpoint to check its availability.

Yes, it's weird to check the provided endpoint with a GET request when all other requests will be POST. But anyway, my solution was:

• create a Lambda in my serverless.yml ;
• manually attach it to the HttpApi created by Lift (on the same route, but with the GET method) ;
• create the integration on Trello API with the webhook endpoint ;
• delete the GET route ;
• remove the Lambda from serverless.yml.

A bit painful, but it worked. I wonder if anyone got the same problem with another third party service? Maybe it's just this tool that does a wrong check and I need to inform Trello/Atlassian? Maybe Lift can add an integration on GET and HEAD routes in addition to the POST one?

(This is open to discussion and could have been a discussion thread in the Webhook RFC or other, but because I couldn't use the Webhook Construct for Trello without some manual tweaks, I prefer to create an issue)

Is there a way to use the Storage constructs with Serverless offline?
I ran the deployment so the bucket was created correctly. But if I run sls offline the bucket name comes as the string [object Object], when set in a env via: BUCKET_NAME: '${construct.someBucket.bucketName}'.

I'm currently on a project where I'm using the following plugins: serverless-offline, serverless-offline-sqs and serverless-lift. When I try to run 'serverless offline', for each environment declared in the worker this error is being raised:

offline: MissingRequiredParameter: Missing required key 'QueueName' in params at ParamValidator.fail.

Is there any configuration where I can fix this error?

It appears that for any assets in subdirectories uploaded to S3, it uses a backslash instead of a forward slash. This appears to make the file(s) inaccessible. Here is the snippet I'm using in serverless.yml:

constructs:
  website:
    type: server-side-website
    assets:
      '/js/*': assets/js
      '/css/*': assets/css
      '/images/*': assets/images
      '/favicon.ico': assets/favicon.ico
      '/robots.txt': assets/robots.txt
    domain: ${self:custom.domains.${self:custom.stage}}
    certificate: arn:aws:acm:us-east-1:xxxxxxxxxxxxxx:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Here's a sample of those files as they appear in S3 (retrieved via aws s3 ls <bucket>; displays same way in AWS console):

2021-11-18 14:59:22      14631 images\logo.png
2021-11-18 14:59:22        818 images\logo1.png
2021-11-18 14:59:22       1000 images\logo2.png
2021-11-18 14:59:23       1396 images\logo3.png
2021-11-18 18:43:50       1459 images\logo4.png
2021-11-18 14:59:23       3216 images\logo5.png

Attempting to access one of those files (https://xxxxxxxx.yyy/images/logo4.png) via CloudFront results in:

<Error>
<Code>NoSuchKey</Code>
<Message>The specified key does not exist.</Message>
<Key>images/logo4.png</Key>
<RequestId>XXXXXXXXXXXXXX</RequestId>
<HostId>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=</HostId>
</Error>

I checked the CloudFront Behaviors section and they look correct.

If I manually delete the files in S3, create the containing directory and upload the file manually, it works as expected.

Has anyone else run into this?

I have a use-case where I have additional files being added to the static websites bucket by a separate function.

It would be helpful if there as an option on the static-website construct where I could provide a list of patterns for files and folders that are to be excluded when deleting all the files from the bucket on deploy.

This ticket is based on this Bref Slack discussion.

Hello 👋

I'm currently testing Lift constructs and I'm trying to find a small use case for each constructs for my company needs.

I've deployed the "Storage" construct but then realize that I forgot the env variable for the bucket name. I added it and the sls deploy command fail:

Invalid variable reference syntax for variable constructs:videos.bucketName. You can only reference env vars, options, & files. You can check our docs for more info.

Here is my files, I'm keeping them as simple as possible for demo purpose:

# serverless.yml
service: ugc-upload # user-generated-content, small project to accept videos from an user

provider:
  name: aws
  profile: superadmin # multiple account in my credentials
  region: eu-west-2 # for reasons
  runtime: provided.al2
  lambdaHashingVersion: 20201221

plugins:
  - serverless-lift
  - ./vendor/bref/bref

constructs:
  videos:
    type: storage

functions:
  get-signed-url:
    handler: src/GetSignedUrlHandler.php
    layers:
      - ${bref:layer.php-80}
    events:
      - httpApi: "GET /"
    environment:
      BUCKET_NAME: ${constructs:videos.bucketName}

# package.json
{
  "devDependencies": {
    "serverless": "^2.46.0",
    "serverless-lift": "^1.1.0"
  }
}
# Got this from `npm i --save-dev serverless serverless-lift`

 # composer.json
{
    "require": {
        "bref/bref": "^1.2",
        "async-aws/s3": "^1.9",
        "azjezz/psl": "^1.7"
    }
}
# Got this from `composer require bref/bref async-aws/s3 azjezz/psl`

# src/GetSignedUrlHandler.php
<?php

require dirname(__DIR__) . '/vendor/autoload.php';

use AsyncAws\S3\Input\PutObjectRequest;
use AsyncAws\S3\S3Client;
use Bref\Context\Context;
use Bref\Event\Http\HttpHandler;
use Bref\Event\Http\HttpRequestEvent;
use Bref\Event\Http\HttpResponse;
use Psl\Json;
use Psl\SecureRandom;

class GetSignedUrlHandler extends HttpHandler
{
    public function handleRequest(HttpRequestEvent $event, Context $context): HttpResponse
    {
        $client = new S3Client();

        $input = new PutObjectRequest(
            [
                "Bucket" => $_ENV["BUCKET_NAME"],
                "Key" => SecureRandom\string(11) . ".png",
            ]
        );

        $signedUrl = $client->presign($input);

        return new HttpResponse(
            Json\encode(["signed-url" => $signedUrl]),
            ["Content-Type" => "application/json"],
        );
    }
}

return new GetSignedUrlHandler();

The complete output of sls deploy :

Serverless: Running "serverless" installed locally (in service node_modules)
Serverless: Deprecation warning: Approached unrecognized configuration variable sources: "constructs".
            From a next major this will be communicated with a thrown error.
            Set "variablesResolutionMode: 20210326" in your service config, to adapt to new behavior now
            More Info: https://www.serverless.com/framework/docs/deprecations/#NEW_VARIABLES_RESOLVER
 
 Serverless Error ----------------------------------------
 
  Invalid variable reference syntax for variable constructs:videos.bucketName. You can only reference env vars, options, & files. You can check our docs for more info.
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com
 
  Your Environment Information ---------------------------
     Operating System:          darwin
     Node Version:              14.4.0
     Framework Version:         2.46.0 (standalone)
     Plugin Version:            5.4.0
     SDK Version:               4.2.3
     Components Version:        3.12.0

Hello,

Cloudfront function names are allowed to have only 64 symbols in their name. In most cases it is enough, but in case of a long stage names this may be an issue.
We're building temporary MR environments with our CI/CD pipelines and the best would be to use the feature-branch names as a stage names, but these may be quite long. For example: feature-add-storybook-templates

And since the function name consists of <service>-<stage>-<region>-<path>-response the number of symbols, which can be used becomes very small.

Currently I've solved it by using first 8 characters of commit SHA instead of a branch name, but will it be possible to integrate a length-check for a function name, and if it is longer, than 64, then cut it and add short hash at the end automatically?

So, a name like this: app-service-feature-add-storybook-templates-eu-central-1-build-response becomes app-service-feature-add-storybook-templates-eu-central-1ST8SHA1

https://docs.aws.amazon.com/lambda/latest/dg/nodejs-package.html says "If your function depends only on standard libraries, or AWS SDK libraries, you don't need to include these libraries in your .zip file. These libraries are included with the supported Lambda runtime environments."

serverless-lift should not include aws-sdk as it bloats the resulting .zip. Should aws-sdk be as devDependency?

It's possible to exclude aws-sdk explicitly using package pattern, but it should be excluded by default.

Hello. Is it possible to add MessageRetentionPeriod to the queue?

Here is an example with a queue construct:

constructs:
    jobs:
        type: queue
        worker:
            ...

To view logs, I must type:

serverless logs -f <function-name>

What's the function name?

As a user, I need to know that Lift will generate a function named jobsWorker.

That should be simpler for users.

Solution A

We could add construct commands, for example:

serverless jobs:worker:logs
serverless jobs:worker:deploy
...

The challenge is avoiding to reimplement commands and their options. I gave it a quick try:

• using pluginManager.spawn() wouldn't work here, as there doesn't seem to be a way to change the options for the spawned command (e.g. to pass the function name)
• spawning a subprocess could work (we would need to forward all the CLI options)

Solution B

We could add an output to print the function name. That way users can find out what the function name is.

This approach requires more effort from the user, and is less discoverable. However it is more consistent with the existing commands.

Could it make sense to have an option to forward /api in the cloudfront distribution to the api gateway?

This would avoid Preflight overhead and making it easy to talk with the serverless api from the website

PS. Absolutely LOVE this. Thanks for doing the heavy lifting!

I am currently using the static website Serverless component found at https://github.com/serverless-components/website. It automatically sets up custom domain mappings with the Cloudfront CNAME if you are using Route53. Would it be possible to enable this feature here? I want to migrate to Lift as the Serverless component framework is restrictive in that I cannot use additional plugins etc.

When trying to use a DLQ in another component via:

destinations:
      onFailure: ${construct:queue.dlqUrlOutput}

I am getting the error:

Resolution error: ${construct:queue.dlqUrlOutput} does not exist. Properties available on ${construct:queue} are: queueUrl, queueArn.

However the below linked line seems to suggest this does get output:

Serverles-lift fails to create queues, if stage name is passed from a custom variable

The following configuration won't work

service: demo

frameworkVersion: '2'

plugins:
  - serverless-lift

custom: ${file(../config/config.yml)}

provider:
  name: aws
  runtime: python3.8
  lambdaHashingVersion: 20201221

  stage: ${self:custom.stage}

  constructs:
    my-queue:
      type: queue
      fifo: true
      worker:
        handler: lambdas/lambda_name.lambda_handler

This fails with exception

Serverless Error ----------------------------------------
 
  ServerlessError: An error occurred: my-queueDlqF097231D - The name of a FIFO queue can only include alphanumeric characters, hyphens, or underscores, must end with .fifo suffix and be 1 to 80 in length. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 472ff810-cd4d-5bdf-acae-a1f36a3ee1fb; Proxy: null).
      at /opt/demo/serverless-script/node_modules/serverless/lib/plugins/aws/lib/monitorStack.js:136:23
      at processTicksAndRejections (internal/process/task_queues.js:97:5)

I tried to find the reason by adding the console.log at this place in Queue.ts

// The default function timeout is 6 seconds in the Serverless Framework
        const functionTimeout = configuration.worker.timeout ?? 6;

        const maxRetries = configuration.maxRetries ?? 3;

        const baseName = `${this.provider.stackName}-${id}`;

        console.log("baseName: " + baseName);

        const dlq = new CdkQueue(this, "Dlq", {
            queueName: configuration.fifo === true ? `${baseName}-dlq.fifo` : `${baseName}-dlq`,
            // 14 days is the maximum, we want to keep these messages for as long as possible
            retentionPeriod: Duration.days(14),
            fifo: configuration.fifo,
        });

The output indicated that custom variable did not get resolved and hence the error

basename: demo-${self:custom.stage}-my-queue

However if I change the stage variable to

stage: test

it works perfectly.

Hi team,

I have a few low volume queues for a small client app. They're getting usage warnings due to do constant polling from lambda functions to said queues. Based on the documentation here a solution is to configure the ReceiveMessageWaitTimeSeconds for a queue to reduce the polling interval.
https://aws.amazon.com/premiumsupport/knowledge-center/sqs-high-charges/

Thanks,
Fabs

When I use serverless offline --printOutput it doesn't log the logs from my queue worker, is this not possible to do or did I miss something?

In our particular case, we had an AWS Quota Limit increase on the number of Cloudfront forwarded headers from 10 to 15. At this time, it is hard coded to only allow 10 headers when projects can have more if approved by AWS.

Hello ✋

I have probleme using <construct>:upload , I'm trying to deploy my landing page using the configuration said on documentation

I run :
serverless landing:upload

With this config bellow :

constructs:
    landing:
        type: static-website
        path: landingPage

And this error append

Seems like i don't have permission but I'm also using serverless to deploy my API using bref.sh with the same IAM role.

Hey,

I want to add service side encryption to the queues created by lift, specifically the KmsMasterKeyId. Is this possible, if not can this property be exposed?

During sls deploy of react/gatsby website I get the following error:

[...]
Deleting public/static/slide-3-ac5bf32331347fc3e267e58177c3bccc.png
Deleting public/static/white_bg1-4a8b4ddfca1d3b974210bfebf741f1e5.svg
Deleting public/styles.332ed04b92590be19262.css
Deleting public/styles.55e29f7ac37d141a5e6a.css
Deleting public/webpack-runtime-b6adb77e9e7bb73d8646.js
Deleting public/webpack-runtime-b6adb77e9e7bb73d8646.js.map
Deleting public/webpack-runtime-d682f7d47c0dd90b1df7.js
Deleting public/webpack-runtime-d682f7d47c0dd90b1df7.js.map
Deleting public/webpack.stats.json

Serverless Error ----------------------------------------
 
  The XML you provided was not well-formed or did not validate against our published schema
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com
 
  Your Environment Information ---------------------------
     Operating System:          darwin
     Node Version:              14.16.1
     Framework Version:         2.64.1 (local)
     Plugin Version:            5.5.0
     SDK Version:               4.3.0
     Components Version:        3.17.1

Perhaps it is that problem: https://stackoverflow.com/a/69235576/4105584

Hi,
I really appreciate how Lift helps me to remove some repeating work when deploying a static website, but one chore still remains - creating an AWS IAM user with the right permissions to deploy the site from my CI/CD pipeline.

What I usually do is a trial-and-error procedure of creating a user and adding more and more permissions until my deployment is successful. Is there an easier way? Is it documented?

Thank you!

I'm currently retrieving the DLQ URL by referencing the logical ID of the DLQ that is generated after the first deployment.

For example in my serverless.yml:

environment:
  QUEUE_URL: ${construct:queue.queueUrl}
  DLQ_URL: !Ref queueDlqAB1234C5

Ideally, this value is exposed on the queue when referencing the construct, so it could look like the following:

environment:
  QUEUE_URL: ${construct:queue.queueUrl}
  DLQ_URL: ${construct:queue.dlqUrl}

I've had a bit of a dig around and I think we can possibly achieve this by changing the following in Queue.ts

variables(): Record<string, unknown> {
        return {
            queueUrl: this.queue.queueUrl,
            dlqUrl: dlq.queueUrl,
            queueArn: this.queue.queueArn,
        };
    }

there is a large chance that at some point you need an outgoing notification topic with its permissions and policy to provide event driven architecture intercommunication, to notify end users , to notify it , etc. So that you can reference it from lambda code.

With the following config:

storage:
    pdf:

I get the following warning in the CLI (only a soft warning, no error):

Serverless: Configuration warning at 'storage': should NOT have fewer than 1 properties

I don't understand why the warning here, storage has 1 property (pdf:). Any idea @fredericbarthelet?

In Server-side-website, we can configure the error page with :

constructs:
    website:
        # ...
        errorPage: error500.html

But we can't set the CDN's default page, like this :

constructs:
    website:
        # ...
        defaultPage: index.html

In my case, for example, index.html is added in my assets (it's a fully static page), but if i go to the page https://mydomain.com i redirect to the lambda mangement. If i go directly to https://mydomain.com/index.html, it's ok, but not really top.

What do you think ?

Hi, would it be possible to allow custom identitySource (or disablement of it) for Webhook? It is currently hardcoded to $request.header.Authorization

Certain services like Paddle do not provide anything in the authorization header, rather they provide the signature inside the body. Paddle does not allow specifying of headers either so I'm kinda stuck.
Thanks!

I was wondering if it would be possible to extend the "construct" entry in serverless.yml to also accept docker images?

For example, I can deploy a docker image in serverless like this:

provider:
  name: aws
  ecr:
    images:
      my-docker-image:
        path: ./

functions:
  my-function:
    image:
      name: my-docker-image

And I would love to use lift to add additional resources around it. However, this is not currently allowed:

provider:
  name: aws
  ecr:
    images:
      my-docker-image:
        path: ./

constructs:
  my-queue:
    type: queue
    worker:
      image:
        name: my-docker-image

My hope is that this is just a constraint put on the serverless.yml, and that lift can fall back on serverless functionality to deploy the images. That said, I appreciate that I don't have overview of the work required at all.

Would be great to hear your thoughts on this request!

Hi all,

starting from the predicate that our image exists (from ECR or docker hub), can we imagine a constructor that would take as argument the name of the image and, optionally, the cpu, the ram and the number of occurrences (etc. ?) and that would return as output the associated public ip :

service: my-app

provider:
    name: aws

plugins:
    - serverless-lift

constructs:

    # Include Lift constructs here

    my-service:
        type: ecs
        image: 'gotenberg' # from Docker hub for example

we could also specify a security group to complete the whole

I just spent several hours trying to understand why the parameters from the serverless dashboard weren't correctly being passed to lift plugin until I came across this note on the serverless plugins' guide.

Note: Variable references in the serverless instance are not resolved before a Plugin's constructor is called, so if you need these, make sure to wait to access those from your hooks.

Which means that trying to do the following will result in an error "ARNs must start with "arn:" and have at least 6 components: ${param:CERTIFICATE}".

constructs:
  app:
    domain: ${param:DOMAIN}
    certificate: ${param:CERTIFICATE}
    type: static-website
    path: dist

I fixed it on a fork moving the Constructs loader to the initialize hook pedrodim@1c47638, which seems to work fine for the Static website construct (it does correctly deploy my website without errors) but obviously now some tests are broken and I have no idea how to fix those.

According to AWS S3 support response, when we are creating presigned S3 URL, it's expiration date restricted not only by our will, but also by expiration date of a token we used to create this presigned URL. That means that it's impossible to create presigned linkes that working e.g. for a week under Lambda IAM token since this token will expire long before week will pass.

I know only two options how to overcome this:

1. Use separate AWS IAM token just for S3 presigning links, that's the easiest way, but requires handling additional tokens. Looks like a not clean option for me.
2. Create specific lambda endpoint that will handle redirects to freshly presigned links. Link could work using JWT with all data included.

So, feature request is to implement such redirection function with Lift.

AWS announced today support for Response headers with a built-in preset for adding security headers.

https://aws.amazon.com/fr/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/

I think it could replace the response cloudfront function and save on the extra cost.

Unfortunatly, Cloudformation (and so CDK) support is not there yet, so I'm opening this to gather feedback and hopefully not forget about it 😅

There's also the option to add CORS headers on the distribution which may be useful for the server side website and even custom fixed value headers (no use case yet from my POV).

EDIT: more detailed article here https://aws.amazon.com/fr/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-response-headers-policies/

Hello, thank you for the development of the Lift plugin, it's so awesome, I hope it will support more use cases in the near future. I especially like it as a Ruby developer, as AWS CDK does not support it at all 😞 .

Background:

Yesterday I've submitted the PR for the Serverless Framework example (SQS + DynamoDB). I've used the queue construct for the example which is awesome.

However, during the implementation, I've crossed upon one problem, not sure whether is due to the construct, or maybe due to my lack of knowledge in some of the aspects of Serverless Framework.

Problem

Within the permissions section, we can see the information about:

By default, all the Lambda functions deployed in the same serverless.yml file will be allowed to push messages into the queue.

In the example below, there are no IAM permissions to set up: myFunction will be allowed to send messages into my-queue.

constructs:
    my-queue:
        type: queue
        # ...

functions:
    myFunction:
        handler: src/publisher.handler
        environment:
            QUEUE_URL: ${construct:my-queue.queueUrl}

This is quite nice, as I do not need to provide IAM statements within the serverless.yml.

However, when I've added another resource, which is DynamoDB in my case, and added the IAM statements:

iam:
    role:
      statements:
        - Effect: Allow
          Action:
            - dynamodb:PutItem
          Resource:
            - !GetAtt Table.Arn

After the deployment, the Lambda function for the myFunction will not have permissions to access the SQS anymore. So to make it work I need to add to the above iam role statements:

        - Effect: Allow
          Action:
             - sqs:SendMessage
          Resource: ${construct:lotteryQueue.queueArn}

Not sure, whether is a bug or not. 🤔

This issue follows initial implementation of database/dynamodb-single-table construct.

Originally posted by @alexdebrie in #69 (comment)

What if I do need different keys on my secondary index -- is this configurable? In most cases, I use the generic keys as you have, but there are situations where you may want something different.

Originally posted by @fredericbarthelet in #69 (comment)

Secondary keys are not configurable. I was wondering if duplicating data across multiple attribute when there is an overlap in indexes is not a better strategy. For exemple, you may have access patterns with overlapping indexes for a specific type of items within your table. If you enforce GSI-1-PK as being the table primary SK, you actually enforce projection of all rows of the table to this new secondary index, even for entities not benefiting from this pattern. This incurs additional cost, that may be higher than actually duplicating this specific attribute for items benefitting from this pattern.

Solution with attribute duplication
| PK | SK | GSI-1-PK | GSI-1-SK | Amount |
|------------ |---------- |---------- |------------ |-------- |
| INV#123456 | BILL#112 | BILL#112 | 2020-01-03 | 12 |
| INV#123456 | BILL#113 | BILL#113 | 2020-01-08 | 22 |
| USER#123 | John Doe | | | |

Benefits:

• Inserting USR#123 does not incur cost for replication on GSI-1
• Invoices have a duplicated attribute: SK and GSI-1-PK. This incur additional costs only if this duplication actually brings the total amount written over the next KB

Solution with overlapping indexes
| PK | SK (GSI-1-PK) | GSI-1-SK | Amount |
|------------ |--------------- |------------ |-------- |
| INV#123456 | BILL#112 | 2020-01-03 | 12 |
| INV#123456 | BILL#113 | 2020-01-08 | 22 |
| USER#123 | John Doe | | |

Benefits:

• Duplication does not need to be programmatically handled

WDYT ?

I am opening this issue to track a use case: retrying failed messages via a Lambda function.

Current behavior:

As a user, I can retry failed messages of a queue via: serverless queue:retry.

That command will connect to the SQS DLQ, fetch messages and move them to the main queue.

As such, the user running the command must have the AWS permissions to read/write those SQS queues.

New behavior:

On top of the existing command, there could be an alternative: the "retry" logic could run in a Lambda function.

That way, permissions to read/write SQS queues is limited to the Lambda function.

The Lambda function could be deployed by the queue construct: it wouldn't be a function users have to write.

The function could be triggered either manually by users (through the AWS console or API) or via a local command, e.g. serverless queue:retry-lambda:invoke (or whatever the name would be). That local command would invoke the Lambda function (not connect to SQS directly).

If this use case matches your needs please add 👍 on this issue and describe your situation in a comment. This helps prioritize new features.

It would be useful to let protect a static website with some kind of auth system. It would be great to provide staging versions of a website not public available.

Maybe with Cloudfront function could be achieved something like basic authentication with username/password credentials?

Originally posted by @andrea-cristaudo in #5 (comment)

Also reported in #78 by @InvisibleKind

Hi, (please do point me in the right direction if it's already possible)

is there a possibility of programatically setting the delivery delay in the serverless.yml declaration?

Use case:

I want to build my static website (e.g. npm run build) and pass the serverless API URL to the static website as an environment variable.

Possible solution:

constructs:
  landing:
    type: static-website
    path: dist
    build:
      script: 'npm run build'
      environment:
        VUE_APP_API_URL: !GetAtt HttpApi.ApiEndpoint

The build option is optional:

• if undefined, the user has to build the website before serverless deploy
• if set, the script will be run during serverless deploy (after the CloudFormation deployment, before uploading the static website to S3)

Challenge: the !GetAtt HttpApi.ApiEndpoint would probably not be resolved by Serverless/Lift since this isn't a variable. So my example above isn't really working, yet this is probably the most common use case. How can we solve this?

Maintainer edit: a full solution is documented on this page here.

Hello,

Bottom Line Up Front:

1. Is it possible to pass a custom access policy to SQS queue created by lift's queue construct
2. Subscribe SQS queue created by lift's queue construct to SNS topic and apply filter policy for the subscription

Context:
I am currently developing a system where

publisher -> SNS -> filter policy -> SQS -> lambda handler

I am using lift's queue construct to create SQS queue and its handler SQS -> lambda handler

service: email-service

provider:
  name: aws
  runtime: nodejs12.x
  region: ap-southeast-1
  stage: dev
  lambdaHashingVersion: 20201221

constructs:
  EmailQueue:
    type: queue
    worker:
      handler: emailQueueWorker.handler

plugins:
  - serverless-plugin-typescript
  - serverless-lift

Currently, I have been using AWS Console (web) to manually apply filter policy from SNS -> SQS as well as subscribe SQS to an SNS topic.

Then noticed that SNS was unable to send messages to SQS due to SQS created by lift queue construct not having a proper access control policy. I had to manually edit the access policy like below

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Allow-SNS-SendMessage",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "sqs:*",
      "Resource": "arn:*****:email-service-dev-KeyShoeEmailQueue"
    }
  ]
}

Would there be a way to:

1. Pass custom access policy to SQS queue created by lift's queue construct? So that SNS can send messages to SQS
2. Subscribe SQS queue created by lift's construct to SNS topic with filter policy?

Thank you in advance!

In my project, former build file are not automatically deleted in S3. This leads to an exceeding number of build files to delete during a deployment. When the number of file gets to high, the following error occurs:

It can be manually resolved by manually deleting build files in S3.

I love the idea of this project and would like to make use of it as a Serverless Blueprint delivery mechanism. I am growing Serverless build teams at the moment and being able to deliver blueprints pre-packaged like this is really beneficial.

My proposal is to enable Serverless plugin hooks for the Construct Provider load so that I can use the pre-packaged constructs in Lift OR I can replace the included with my own developed Construct Provider(s) so I can control the blueprints we share OR add my own to the pre-packaged list - I feel both scerarios make sense - Add more constructs of my own or Replace the constructs altogether.

In this way, I could build my own serverless plugin to add my own production-ready constructs built to my Corporate Cloud requirements for security and Least privilege access.

Happy to work on adding this in if you want but wanted to Create this feature request first to understand your current roadmap and whether this is a direction you are planning to head and makes sense for this project.

Happy to discuss offline too if you wanted to chat about it in more detail.

The environment variable being exposed to the functions using the reference ${construct:myQueue.queueUrl} is being logged as '[object Object]'. That is a string, not even an object that I can parse/print using utils.

Hi all,
When using a Lambda in a VPC, I understand that it is cut off from the internet. To avoid having to add a NAT Gateway, would it be possible to add a parameter to the constructor (an array of endpoints) to create a gateway to these different endpoints?
I mention in the title the Server-Side Website construct, but this is mostly valid for simple functions.

I don't know if it is possible via LIFT or if it should be managed only via resources

to discuss it

Trying to adapt the documentation example so I can manage queues on dev differently but still use lift to create the production queues:

constructs:
  update-segment-memberships-from-contact-changes:
    type: queue

custom:
  update-segment-memberships-sqs-queue-arn:
    dev: ${env:UPDATE_SEGMENT_MEMBERSHIPS_FROM_CONTACT_CHANGES_QUEUE_ARN}
    staging: ${construct:update-segment-memberships-from-contact-changes.queueArn}
    demo: ${construct:update-segment-memberships-from-contact-changes.queueArn}
    production: ${construct:update-segment-memberships-from-contact-changes.queueArn}

functions:
  update_segment_memberships_from_contact_changes:
    events:
      - sqs:
          arn: ${self:custom.update-segment-memberships-sqs-queue-arn.${sls:stage}}
          batchSize: 10
          maximumBatchingWindow: 60

but getting:

Invalid configuration in 'constructs.update-segment-memberships-from-contact-changes': no 'worker' defined. Queue constructs require a 'worker' function to be defined.```

Is it possible to define custom queueName for a SQS queue? If not, please make it configurable.

The database name 'bref-dashboard-backend-prod' is invalid: it must only contain letters and numbers.