• Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language HCL
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Infrastructure support for Serverless framework apps, done the right way

Terraform Provider Serverless — Formidable, We build the modern web

AWS Serverless Module

Terraform Travis Status Maintenance Status

Get your serverless framework application to AWS, the right way.

Contents

TF Versions

v1 of this module is compatible with Terraform 0.12. Submit pull-requests to master.

v0.8 of this module is compatible with Terraform 0.12 and Terraform 0.11. Submit pull-requests to terraform0.11 branch. This branch is in maintenance mode and will not be updated with new features.

Overview

Getting a serverless application all the way to production in AWS correctly and securely can be quite challenging. In particular, things like:

  • Locking down IAM permissions to the minimum needed for different conceptual "roles" (e.g., admin, developer, ci).
  • Providing a scheme for different environments/stages (e.g., development, staging, production).

... lack reasonable guidance to practically achieve in real world applications.

This Terraform module provides a production-ready base of AWS permissions / resources to support a serverless framework application and help manage development / deployment workflows and maintenance. Specifically, it provides:

  • IAM Groups: Role-specific groups to attach to AWS users to give humans and CI the minimum level of permissions locked to both a specific serverless service and stage/environment.

Concepts

This module allows practical isolation / compartmentalization of privileges within a single AWS account along the following axes:

  • Stage/Environment: An arbitrary environment to isolate -- this module doesn't restrict selection in any way other than there has to be at least one. In practice, a good set of choices may be something like sandbox, development, staging, production.
  • IAM Groups: This module creates/enforces a scheme wherein:
    • Admin: AWS users assigned to the admin group can create/update/delete a serverless application and do pretty much anything that the serverless framework permits out of the box.
    • Developer, CI: AWS users assigned to the developer|ci groups can update a serverless application and do other things like view logs, perform rollbacks, etc.

In this manner, once an AWS superuser deploys a Terraform stack with this module and assigns IAM groups, the rest of the development / devops teams and CI can build and deploy Serverless applications to appropriate cloud targets with the minimum necessary privileges and isolation across services + environments + IAM roles.

Modules

This project provides a core base module that is the minimum that must be used. Once the core is in place, then other optional submodules can be added.

  • Core (/*): Provides supporting IAM policies, roles, and groups so that an engineering team / CI can effectively create and maintain serverless Framework applications locked down to specific applications + environments with the minimum permissions needed.
  • X-Ray (modules/xray): Optional submodule to add needed IAM support to enable AWS X-Ray performance tracing in a Serverless framework application. See the submodule documentation.
  • VPC (modules/vpc): Optional submodule to add needed IAM support to enable a Serverless framework application to deploy in AWS VPC. See the submodule documentation.

IAM Notes

The IAM permissions are locked down to service + environment + role-specific ARNs as much as is possible within the AWS IAM and Serverless framework constraints. All of our modules/submodules use the same set of base ARNs declared, e.g., in variables.tf and can be considered as follows:

Fully locked down: These ARNs are sufficiently locked to service + environment.

  • sls_cloudformation_arn: Serverless-generated CloudFormation stack.
  • sls_deploy_bucket_arn: Serverless deployment bucket that stores Lambda code. (Note that our ARN accounts for service name truncation).
  • sls_log_stream_arn: Serverless target log stream.
  • sls_events_arn: Serverless created CloudWatch events.
  • sls_lambda_arn: Serverless lambda functions.
  • sls_lambda_role_arn: Serverless lambda execution role.

Not locked down: These ARNs could be tighter, but presently are not.

  • sls_apigw_arn: Serverless API Gateway. The issue is that the ID of the resource is dynamically created during Serverless initial provisioning, so this module can't know it ahead of time. We have a filed issue to track and research potential tightening solutions.
  • sls_apigw_tags_arn: Tags for the Serverless API Gateway. Exact same issue as for sls_apigw_arn.

IAM Wildcards: Unfortunately, AWS IAM only allows wildcards ("*") on certain resources, so we cannot actually lock down more. Accordingly, we limit the permissions to only what is needed with a bias towards sticking such permissions in the admin IAM group. Here are our current wildcards:

Core IAM module

  • admin
    • cloudformation:ListStacks
    • cloudformation:PreviewStackUpdate
    • lambda:GetEventSourceMapping
    • lambda:ListEventSourceMappings
    • lambda:ListFunctions
    • lambda:ListTags
    • lambda:TagResource
    • lambda:UntagResource
    • cloudwatch:GetMetricStatistics
  • developer|ci:
    • cloudformation:ValidateTemplate
  • One of the above (depending on opt_many_lambdas):
    • logs:DescribeLogGroups

X-ray submodule

  • Lambda execution role:
    • xray:PutTraceSegments
    • xray:PutTelemetryRecords

VPC submodule

  • developer|ci:
    • ec2:DescribeSecurityGroups
    • ec2:DescribeVpcs
    • ec2:DescribeSubnets
    • ec2:DescribeNetworkInterfaces
  • Lambda execution role:
    • ec2:CreateNetworkInterface
    • ec2:DescribeNetworkInterfaces
    • ec2:DeleteNetworkInterface (It is disappointing that deleting an ENI cannot be limited further...)

Integration

Reference project

Perhaps the easiest place to start is our sample reference project that creates a Serverless framework service named simple-reference that integrates the core module and submodules of this project. The relevant files to review include:

Module integration

Here's a basic integration of the core serverless module:

# variables.tf
variable "stage" {
  description = "The stage/environment to deploy to. Suggest: `sandbox`, `development`, `staging`, `production`."
  default     = "development"
}

# main.tf
provider "aws" {
  region  = "us-east-1"
}

# Core `serverless` IAM support.
module "serverless" {
  source = "FormidableLabs/serverless/aws"

  region       = "us-east-1"
  service_name = "sparklepants"
  stage        = "${var.stage}"

  # (Default values)
  # iam_region          = `*`
  # iam_partition       = `*`
  # iam_account_id      = `AWS_CALLER account`
  # iam_stage           = `STAGE`
  # tf_service_name     = `tf-SERVICE_NAME`
  # sls_service_name    = `sls-SERVICE_NAME`
  # lambda_role_name    = ""
  # role_admin_name     = `admin`
  # role_developer_name = `developer`
  # role_ci_name        = `ci`
  # opt_many_lambdas    = false
  # opt_disable_groups  = false
  # tags = {}
}

That pairs with a serverless.yml configuration:

# This value needs to either be `sls-` + `service_name` module input *or*
# be specified directly as the module input `sls_service_name`, e.g.:
# - `sls-{service_name}`
# - `{sls_service_name}`
service: sls-${self:custom.service}

custom:
  service: "sparklepants"
  stage: ${opt:stage, "development"}

provider:
  name: aws
  # Use the role provided by `terraform-aws-serverless.`
  #
  # **NOTE**: terraform-aws-serverless uses its own Lambda execution role
  # in favor of the Serverless default. It has the same permissions, but
  # allows you to attach IAM policies to it before running `sls deploy`.
  # This prevents failures when trying to run Terraform before deploying
  # your Serverless app.
  role:
    Fn::ImportValue: tf-${self:custom.service}-${self:custom.stage}-LambdaExecutionRoleArn
  runtime: nodejs8.10
  region: "us-east-1"
  stage: ${self:custom.stage}

functions:
  server:
    # ...

layers:
  # Layers defined within a serverless project need be named with a prefix
  # matching the service name in one of the following formats:
  # - `sls-{service_name}-{stage}-{ANYTHING}`
  # - `{sls_service_name}-{stage}-{ANYTHING}`
  vendor:
    path: layers/vendor
    name: sls-${self:custom.service}-${self:custom.stage}-vendor

Let's unpack the parameters a bit more (located in variables.tf):

  • service_name: A service name is something that defines the unique application that will match up with the serverless application. E.g., something boring like simple-reference or graphql-server or exciting like unicorn or sparklepants.
  • stage: The current stage that will match up with the serverless framework deployment. These are arbitrary, but can be something like development/staging/production.
  • region: The deployed region of the service. Defaults to the current caller's AWS region. E.g., us-east-1.
  • lambda_role_name: A custom Lambda execution role to use instead of the module default. If using the xray or vpc modules, make sure to pass this same option and role to them.
  • iam_region: The AWS region to limit IAM privileges to. Defaults to *. The difference with region is that region has to be one specific region like us-east-1 to match up with Serverless framework resources, whereas iam_region can be a single region or * wildcard as it's just an IAM restriction.
  • iam_partition: The AWS partition to limit IAM privileges to. Defaults to *.
  • iam_account_id: The AWS account ID to limit IAM privileges to. Defaults to the current caller's account ID.
  • iam_stage: The stage to limit IAM privileges to. Defaults to the stage variable. Wildcarding stage (e.g. nonprod-*) is a strategy for isolating dynamic environments (e.g. pull request environments) from production ones.
  • tf_service_name: The service name for Terraform-created resources. It is very useful to distinguish between those created by Terraform / this module and those created by the Serverless framework. By default, tf-${service_name} for "Terraform". E.g., tf-simple-reference or tf-sparklepants.
  • sls_service_name: The service name for Serverless as defined in serverless.yml in the service field. Highly recommended to match our default of sls-${service_name} for "Serverless".
  • role_admin_name: The name for the IAM group, policy, etc. for administrators. (Default: admin).
  • role_developer_name: The name for the IAM group, policy, etc. for developers. (Default: developer).
  • role_ci_name: The name for the IAM group, policy, etc. for Continuous Integration (CI) / automation. (Default: ci).
  • opt_many_lambdas: By default, only the admin group can create and delete Lambda functions which gives extra security for a "mono-Lambda" application approach. However, many Lambda applications utilize multiple different functions which need to be created and deleted by the developer and ci group. Setting this option to true enables Lambda function create/delete privileges for all groups. (Default: false)
  • opt_disable_groups: Disables group and group attachment creation while still creating matching IAM policies. Useful in federated accounts or in environments where access is restricted to assumed roles.

Most likely, an AWS superuser will be needed to run the Terraform application for these IAM / other resources.

AWS IAM group integration

Once the core module is applied, three IAM groups will be created in the form of ${tf_service_name}-${stage}-(admin|developer|ci). This typically looks something like:

  • tf-${service_name}-${stage}-admin: Can create/delete/update the Severless app and global resources like tags.
  • tf-${service_name}-${stage}-developer: Can deploy the Severless app.
  • tf-${service_name}-${stage}-ci: Can deploy the Severless app.

Once these groups exist, an AWS superuser can then attach these groups to AWS individual users as appropriate for the combination of service + stage + role (admin, developer, CI). Or, the IAM group attachments could be controlled via Terraform as well!

The main upshot of this is after attachment, a given AWS user has the minimum necessary privileges for exactly the level of Serverless framework commands they need. Our example Serverless application reference project documentation has many examples of various serverless commands and which IAM group can properly run them.

Maintenance Status

Stable: Formidable is not planning to develop any new features for this project. We are still responding to bug reports and security concerns. We are still welcoming PRs for this project, but PRs that include new features should be small and easy to integrate and should not include breaking changes.

More Repositories

1

webpack-dashboard

A CLI dashboard for webpack dev server
JavaScript
13,886
star
2

victory

A collection of composable React components for building interactive data visualizations
JavaScript
10,570
star
3

spectacle

A React-based library for creating sleek presentations using JSX syntax that gives you the ability to live demo your code.
TypeScript
9,622
star
4

urql

The highly customizable and versatile GraphQL client with which you add on features like normalized caching as you grow.
TypeScript
7,504
star
5

radium

A toolchain for React component styling.
JavaScript
7,419
star
6

react-game-kit

Component library for making games with React & React Native
JavaScript
4,588
star
7

react-live

A flexible playground for live editing React components
TypeScript
3,990
star
8

nodejs-dashboard

Telemetry dashboard for node.js apps from the terminal!
JavaScript
3,916
star
9

react-animations

🎊 A collection of animations for inline style libraries
JavaScript
3,063
star
10

nuka-carousel

Small, fast, and accessibility-first React carousel library with an easily customizable UI and behavior to fit your brand and site.
TypeScript
2,980
star
11

react-music

Make beats with React!
JavaScript
2,721
star
12

electron-webpack-dashboard

Electron Desktop GUI for Webpack Dashboard
JavaScript
2,717
star
13

victory-native

victory components for react native
JavaScript
2,007
star
14

react-swipeable

React swipe event handler hook
TypeScript
1,992
star
15

react-native-app-auth

React native bridge for AppAuth - an SDK for communicating with OAuth2 providers
Java
1,915
star
16

prism-react-renderer

🖌️ Renders highlighted Prism output to React (+ theming & vendored Prism)
TypeScript
1,801
star
17

freactal

Clean and robust state management for React and React-like libs.
JavaScript
1,664
star
18

react-fast-compare

fastest deep equal comparison for React
JavaScript
1,554
star
19

rapscallion

Asynchronous React VirtualDOM renderer for SSR.
JavaScript
1,396
star
20

component-playground

A component for rendering React components with editable source and live preview
JavaScript
1,187
star
21

redux-little-router

A tiny router for Redux that lets the URL do the talking.
JavaScript
1,055
star
22

react-progressive-image

React component for progressive image loading
JavaScript
744
star
23

react-native-owl

Visual regression testing library for React Native that enables developers to introduce visual regression tests to their apps.
TypeScript
635
star
24

renature

A physics-based animation library for React focused on modeling natural world forces.
TypeScript
602
star
25

inspectpack

An inspection tool for Webpack frontend JavaScript bundles.
TypeScript
589
star
26

react-ssr-prepass

A custom partial React SSR renderer for prefetching and suspense
JavaScript
587
star
27

spectacle-boilerplate

[DEPRECATED] Boilerplate project for getting started with Spectacle Core
581
star
28

victory-native-xl

A charting library for React Native with a focus on performance and customization.
TypeScript
474
star
29

use-editable

A small React hook to turn elements into fully renderable & editable content surfaces, like code editors, using contenteditable (and magic)
TypeScript
453
star
30

appr

Open React Native PR Builds instantly on device
JavaScript
381
star
31

image-palette

Generate a WCAG compliant color theme from any image
JavaScript
356
star
32

webpack-stats-plugin

Webpack stats plugin for build information, file manifests, etc.
JavaScript
351
star
33

react-native-zephyr

TailwindCSS-inspired styling library for React Native.
TypeScript
347
star
34

formidable-react-native-app-boilerplate

React Native / Redux / Babel boilerplate.
JavaScript
340
star
35

builder

An npm-based task runner
JavaScript
320
star
36

victory-cli

A tool for generating charts on the command line.
JavaScript
311
star
37

runpkg

the online javascript package explorer
JavaScript
307
star
38

seattlejsconf-app

ReasonML React Native App for SeattleJS Conf
OCaml
302
star
39

victory-chart

Chart Component for Victory
JavaScript
290
star
40

serverless-jetpack

A faster JavaScript packager for Serverless applications.
JavaScript
273
star
41

eslint-plugin-react-native-a11y

React Native specific accessibility linting rules.
JavaScript
270
star
42

react-flux-concepts

Step by step building the recipe app in react & flux.
HTML
269
star
43

react-shuffle

Animated shuffling of child components on change
JavaScript
251
star
44

react-native-ama

Accessibility as a First-Class Citizen with React Native AMA
TypeScript
250
star
45

babel-plugin-transform-define

Compile time code replacement for babel similar to Webpack's DefinePlugin
JavaScript
247
star
46

groqd

A schema-unaware, runtime and type-safe query builder for GROQ.
TypeScript
227
star
47

urql-devtools

A tool for monitoring and debugging urql during development
TypeScript
204
star
48

react-native-responsive-styles

React Native styles that respond to orientation change
JavaScript
170
star
49

es6-interactive-guide

An interactive guide to ES6
JavaScript
164
star
50

whackage

Multi-repo development tooling for React Native
JavaScript
132
star
51

formidable-playbook

The Formidable development playbook.
132
star
52

clips

Create short shareable screen recordings – all using web APIs
Svelte
129
star
53

github-2049

JavaScript
124
star
54

radium-grid

A powerful, no-fuss grid system component for React
JavaScript
123
star
55

pino-lambda

Send pino logs to cloudwatch with aws-lambda
TypeScript
117
star
56

ecology

Documentation generator for collections of react components.
JavaScript
107
star
57

formidable-react-starter

React starter application
JavaScript
95
star
58

publish-diff

Preview npm publish changes.
JavaScript
91
star
59

urql-exchange-graphcache

A normalized and configurable cache exchange for urql
89
star
60

yesno

Simple HTTP testing for NodeJS
TypeScript
88
star
61

measure-text

An efficient text measurement function for the browser.
JavaScript
87
star
62

envy

Node.js Telemetry & Network Viewer
TypeScript
86
star
63

spectacle-boilerplate-mdx

[DEPRECATED] Boilerplate that facilitates using MDX with Spectacle
81
star
64

css-to-radium

Radium migration CLI, converts CSS to Radium-compatible JS objects.
JavaScript
79
star
65

victory-core

Shared libraries and components for Victory
JavaScript
72
star
66

aws-lambda-serverless-reference

A reference application for AWS + serverless framework.
HCL
70
star
67

jest-next-dynamic

Resolve Next.js dynamic import components in Jest tests
JavaScript
69
star
68

formidable-charts

Ready-made composed Victory components
JavaScript
67
star
69

victory-uiexplorer-native

A React Native app for iOS and Android that showcases Victory Native components
JavaScript
65
star
70

pull-report

Create reports for open GitHub pull requests / issues for organizations and users.
JavaScript
64
star
71

react-context-composer

[DEPRECATED] Clean composition of React's new Context API
JavaScript
60
star
72

victory-pie

D3 pie & donut chart component for React
JavaScript
60
star
73

recipes-flux

Recipes (Flux example)
JavaScript
59
star
74

next-urql

Convenience utilities for using urql with NextJS.
TypeScript
56
star
75

lank

Link and control a bunch of repositories.
JavaScript
49
star
76

full-stack-testing

Full. Stack. Testing. (w/ JavaScript)
JavaScript
47
star
77

converter-react

Sample React + Flux app w/ server-side rendering / data bootstrap and more!
JavaScript
44
star
78

urql-exchange-suspense

An exchange for client-side React Suspense support in urql
43
star
79

victory-animation

DEPRECATED-- Use victory-core
JavaScript
42
star
80

react-native-animation-workshop

React Native Animations & Interactions Workshop
JavaScript
41
star
81

notes-react-exoskeleton

Notes using React + Exoskeleton
JavaScript
39
star
82

graphql-typescript-blog

TypeScript
39
star
83

victory-chart-native

JavaScript
37
star
84

react-europe-demos

React Europe 2018 Keynote Demos
JavaScript
37
star
85

react-synth

React synth demo code for http://reactamsterdam.surge.sh
JavaScript
37
star
86

urql-devtools-exchange

The exchange for usage with Urql Devtools
TypeScript
35
star
87

victory-native-demo

Demo victory-native
JavaScript
35
star
88

victory-tutorial

A tutorial for Victory used with the Getting Started guide in Victory Docs.
JavaScript
34
star
89

trygql

Purpose-built Demo APIs for GraphQL; never write a schema for your client-side GraphQL demo apps twice.
JavaScript
32
star
90

gql-workshop-app

Real World GraphQL
JavaScript
31
star
91

multibot

A friendly multi-repository robot.
JavaScript
31
star
92

nextjs-sanity-fe

NextJS Demo site with Sanity CMS
TypeScript
29
star
93

victory-docs

Documentation for Victory: A collection of composable React components for building interactive data visualizations
JavaScript
29
star
94

react-europe-workshop

JavaScript
28
star
95

rowdy

A small, rambunctious WD.js / WebdriverIO configuration wrapper.
JavaScript
28
star
96

spectacle-cli

CLI for the Spectacle Presentation Framework
JavaScript
28
star
97

eslint-config-formidable

A set of default eslint configurations from Formidable
JavaScript
27
star
98

trace-pkg

A dependency tracing packager for Node.js source files.
26
star
99

radium-constraints

Constraint-based layout system for React components.
JavaScript
26
star
100

mock-raf

A simple mock for requestAnimationFrame testing with fake timers
JavaScript
25
star