Example production Serverless files

Update: Well turns out the new provisioned concurrency feature is mostly unusable. The hidden cost of Lambda provisioned concurrency pricing explains why but unfortunately the cost is not at all hidden. Uclusion was billed $3,347.63 for 803,424,893.570 Lambda-GB-Second on Lambdas that were not costing anything under the “warmup” way. We are disputing the charge but will have to revert to trying to solve cold starts with the synthetic traffic plugin.

Uclusion uses Serverless to deploy Lambdas in AWS. There are many aspects to our configuration so this post just walks you through a basic abbreviated file. You can use Serverless documentation to understand the key words.

service: uclusion-market-api

plugins:
  - serverless-plugin-aws-alerts
custom:
  alerts:
    topics:
      alarm:
        topic: uclusion-market-api-${opt:stage, self:provider.stage}-alerts-alarm
        notifications:
          - protocol: email
            endpoint: [an email address]
    alarms:
      - functionErrors
      - functionThrottles*

*provider:
  name: aws
  runtime: python3.7
  region: us-west-2
  versionFunctions: false
  usagePlan:
    quota:
      limit: ${ssm:/usageplan/limit}
      period: DAY
    throttle:
      burstLimit: 400
      rateLimit: 100
  apiGateway:
    apiKeySourceType: AUTHORIZER
  environment:
    usersServicePrefix: uclusion-users-dev-
    marketsServicePrefix: uclusion-markets-dev-
    USER_POOL_ID: us-west-2_${ssm:/userpool/id}
    COGNITO_CLIENT_ID: ${ssm:/cognito/client/id~true}
    GLOBAL_CAPABILITY_SECRET_KEY: ${ssm:/capability/secret/key~true}
    CAPABILITY_SIGNING_ALGORITHM: HS256
    myRegion: us-west-2

package:
  exclude:
    - node_modules/**
    - .idea/**
    - env/**
    - tests/**
    - README.md
    - setup.cfg
    - package.json
    - package-lock.json

functions:
  authorizerFunc:
    provisionedConcurrency: 5
    handler: authorizers/long_capability_auth.lambda_handler
    role: arn:aws:iam::${ssm:/account/id}:role/requests/generalapi/policy/GeneralAPIRoleShared
    layers: ${file(layers.yml):${opt:stage, self:provider.stage}}
  update_investment:
    provisionedConcurrency: ${ssm:/account/provisioned}
    role: arn:aws:iam::${ssm:/account/id}:role/requests/generalapi/policy/GeneralAPIRoleShared
    handler: handlers/investment_update.update
    layers: ${file(layers.yml):${opt:stage, self:provider.stage}}
    timeout: 20
    events:
      - http:
          path: invest
          method: post
          private: true
          cors: true
          authorizer: ${file(authorizer.yml):${opt:stage, self:provider.stage}}
  remove_investment:
    provisionedConcurrency: ${ssm:/account/provisioned}
    role: arn:aws:iam::${ssm:/account/id}:role/requests/generalapi/policy/GeneralAPIRoleShared
    handler: handlers/investment_remove.delete
    layers: ${file(layers.yml):${opt:stage, self:provider.stage}}
    timeout: 20
    events:
      - http:
          path: invest/{investible_id}
          method: delete
          private: true
          cors: true
          authorizer: ${file(authorizer.yml):${opt:stage, self:provider.stage}}
  get_market:
    provisionedConcurrency: ${ssm:/account/provisioned}
    role: arn:aws:iam::${ssm:/account/id}:role/requests/generalapi/policy/GeneralAPIRoleShared
    handler: handlers/get_market.get
    layers: ${file(layers.yml):${opt:stage, self:provider.stage}}
    events:
      - http:
          path: get
          method: get
          private: true
          cors: true
          authorizer: ${file(authorizer.yml):${opt:stage, self:provider.stage}}
  update_market:
    provisionedConcurrency: ${ssm:/account/provisioned}
    role: arn:aws:iam::${ssm:/account/id}:role/requests/generalapi/policy/GeneralAPIRoleShared
    handler: handlers/market_update.update
    layers: ${file(layers.yml):${opt:stage, self:provider.stage}}
    events:
      - http:
          path: update
          method: patch
          private: true
          cors: true
          authorizer: ${file(authorizer.yml):${opt:stage, self:provider.stage}}
resources:
  Resources:
    GatewayResponseDefault4XX: *# See https://serverless.com/blog/cors-api-gateway-survival-guide
      *Type: 'AWS::ApiGateway::GatewayResponse'
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
        ResponseType: DEFAULT_4XX
        RestApiId:
          Ref: 'ApiGatewayRestApi'

Here the authorizer.yml is

dev:
  name: authorizerFunc
  authorizer_type: TOKEN
  identitySource: method.request.header.Authorization

and the layers.yml is

dev:
  - ${cf:udcommon-layer-dev.UdcommonLayerExport}
  - ${cf:ucommon-layer-dev.UcommonLayerExport}
  - ${cf:ubcommon-layer-dev.UbcommonLayerExport}

and you use the environment section in your Lambda Python code like so

os.environ['usersServicePrefix']

One of the more confusing points when you initially setup using AWS Lambdas is the API Gateway stage feature. So far Uclusion has not found a way to make use of that feature at all. We created an organization with three accounts — dev, stage and production and use the same Serverless yml to deploy to each of them (using CircleCI). So each environment has only one API Gateway stage.

In theory you could canary test a new version of the API in production by having a second stage but in practice the new stage shares SSM configuration (see ssm: usage above), DynamoDB, DynamoDB streams, etc. and so if the canary dies the whole site might die as well.

Another confusing aspect is the provisionedConcurrency. Any call you make to an outside static resource like os.environ[‘usersServicePrefix’] must be globally declared in your Python file — not inside a method. Otherwise instead of the call being made once when the Lambda is provisioned it will be made every time the method is called.

Also confusing with provisionedConcurrency you will see in your logs something like

Init Duration: 2285.65 ms

when you run a Lambda. Even more confusing is that if you run that Lambda twice in a row the init duration won’t be there on the second call. I can’t say for certain what is happening but it was the same with the old warm-up plugin running every 5 minutes.

Finally make sure to thoroughly read the API Gateway limits ahead of time; I promise that will be time well spent!

David Israel
David Israel Co-Founder of Uclusion