Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add full support for stages #20

Closed
jamesls opened this issue Jul 11, 2016 · 10 comments
Closed

Add full support for stages #20

jamesls opened this issue Jul 11, 2016 · 10 comments

Comments

@jamesls
Copy link
Member

jamesls commented Jul 11, 2016

Right now, the stages feature needs more work to be feature complete. The proposed idea is:

  • chalice deploy prod - Will create a new API gateway stage if necessary
  • The lambda function code is zipped up and sent to lambda. A new function version is created
  • A lambda alias for the the stage name points to the new function version updated.

I also need to update the API gateway integration request to forward to the appropriate lambda function based on the stage name. I'll need to add a context variable with the stage name.

I'd also like to add an optimization to just update lambda aliases when you go from dev->prod where the lambda code has not changed. In that case we can just flip the alias.

@garnaat
Copy link
Collaborator

garnaat commented Jul 11, 2016

What is the stage in API Gateway buying us in this scenario? This isn't really a Chalice-specific question. This is a general question about Lambda and API Gateway although I think it's important that the approach we build into Chalice make sense.

Stages seem to be an attempt to provide some sort of resource isolation but I think accounts are really a much better way to accomplish isolation because they can be applied to all resource types, not just API Gateway endpoints.

So, if we are using accounts for isolation it seems like we would just deploy new versions of functions within the appropriate account, move aliases around as necessary and stages would be superfluous.

Thoughts?

@timff
Copy link

timff commented Jul 18, 2016

Yes, I agree accounts are much better way for resource isolation.

In my opinion, stage only required if you have multiple environments in one account, for example, DEV and TEST in one account, while PREPROD and PROD in another. But this is really API Gateway specific.

@JamieCressey
Copy link

In my mind, stages are a must for dev, test, prod environments. Creating additional accounts will not be an option for everyone.

@garnaat
Copy link
Collaborator

garnaat commented Jul 18, 2016

@JamieCressey I'm curious how you would isolate other resources in that scenario. For example, if you had a DynamoDB table that the API was fronting.

Also curious why additional accounts would not be an option. What would be the barrier?

@JamieCressey
Copy link

@garnaat assuming we are talking about AWS accounts here, there's a multitude of reasons why a corporation would have problems here; cost consolidation being one.

Depending on what isolation you mean, in our current setup (using Serverless) we have a custom role per Lambda function (and therefore API endpoint) which restricts access to the bare minimum per function.

@garnaat
Copy link
Collaborator

garnaat commented Jul 30, 2016

I am talking about AWS accounts.

In my experience most people rely on AWS accounts for resource isolation between prod accounts and dev/test accounts. I'm not saying there aren't other ways to get reasonable isolation but accounts are pretty bulletproof.

So I'm curious how people accomplish sufficient isolation for non-API Gateway resources using stages.

@mannytoledo
Copy link

@JamieCressey On a billing level, AWS is more than willing to aggregate all costs into one account. This way you can have 1 place to go for billing but can still have a logical divide of multiple accounts.

AWS and most large corporations suggest multiple accounts for security reasons. It reduces the risk and complexity of isolating access to parts of infrastructure.

I've seen the model where there are 3 api endpoints/lambas for each tier, and it works well. It would really be nice to also have a multi-account model. Maybe a place where credentials can be configured in per tier or even using AWS profiles?

@sdole
Copy link

sdole commented Aug 5, 2016

Could be just a matter of operational preference. We don't prefer multiple accounts. We do deal with ongoing IAM operations for safely isolating resources. Cost allocation is done via tags. Admittedly, we are on year 2 of our AWS migration, it might change after we are all in.

@jamesls
Copy link
Member Author

jamesls commented Mar 29, 2017

There's a PR with a first attempt at this approach: #264
Hopefully this is a reasonable compromise of the suggested approaches so far:

  • API Gateway "stages" are no longer used.
  • A "chalice stage" is a completely separate set of AWS resources (APIG, Lambda function, IAM role, etc).
  • You can still use separate accounts for isolation (in this case you'd specify a --profile to a different account if you were deploying locally)
  • You can have multiple chalice stages in the same account if you want. Also allows for nice integration with CodePipelines.

So for example, running:

$ chalice deploy dev
...
$ chalice deploy prod

Will result in 2 APIG APIs, 2 lambda functions, 2 roles, etc. I'm also adding lambda env var integration so if you had other resources such as DDB tables, you could configure a separate table per stage and specify the table names vie environment variables that are passed to the lambda function.

@jamesls
Copy link
Member Author

jamesls commented Apr 28, 2017

Closing, #264 has been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants