This deploys an example Amazon DocumentDB instance, Amazon API Gateway, and AWS Lambda Function.
This will:
- Use the Amazon DocumentDB Service.
- Create a Database instance.
- Build an example Go AWS Lambda Function as a Container Image.
- At each request, increment the
counters.hits.counterproperty, and return its modified value. - Create the
countersdatabase. - Create the
hitsdatabase collection. - Get the database credentials from a Secret.
- The Secret is stored in AWS Secrets Manager.
- Upload it to the Amazon ECR.
- At each request, increment the
- Create an Amazon API Gateway.
- Configure it to use the Go AWS Lambda Function.
- Create a VPC and all the required plumbing required for the Go AWS Lambda
Function to use an Amazon DocumentDB Database instance.
- Make the Document DB Database instance available in a VPC database subnet.
- Make the Secrets Manager service endpoint available as a VPC Endpoint.
Install the dependencies:
Set the AWS Account credentials using SSO:
# set the environment variables to use a specific profile.
# e.g. use the pattern <aws-sso-session-name>-<aws-account-name>-<aws-account-role>-<aws-account-id>
export AWS_PROFILE=example-dev-AdministratorAccess-123456
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
# set the account credentials.
# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso
aws configure sso
# dump the configured profile and sso-session.
cat ~/.aws/config
# show the user, user amazon resource name (arn), and the account id, of the
# profile set in the AWS_PROFILE environment variable.
aws sts get-caller-identityOr, set the AWS Account credentials using an Access Key:
# set the account credentials.
# NB get these from your aws account iam console.
# see Managing access keys (console) at
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
unset AWS_PROFILE
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identityReview the inputs.tf file.
Initialize the project:
terraform init -lockfile=readonlyDeploy the example:
terraform applyShow the terraform state:
terraform state list
terraform showAccess the example service (hosted by the Go AWS Lambda Function Container):
example_url="$(terraform output --raw example_url)"
curl \
-s \
-X GET \
"$example_url" \
| jqYou should see a response alike the following, where the hitsCounter property
value is incremented after each request:
{
"hitsCounter": 1
}Test recreating the lambda function:
terraform destroy -target=module.example_lambda_function
terraform applyDestroy the example:
terraform destroyList this repository dependencies (and which have newer versions):
GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh- There is no way to use an AWS IAM Role to authenticate as a DocumentDB User.
- This means we cannot use the Lambda Function IAM Role as a password-less authentication mechanism. So, we must manage the DocumentDB User password.