Hi folks,
This is a proposal to integrate AWS Lambda serverless support into Apache
APISIX. We just have integrated the azure functions faas plugin into the
ecosystem and the addition of lambda from aws will extend the use case of
apisix in diverse scenarios.
Proposed plugin name: `aws-lambda`
The plugin takes the AWS API Gateway URI as a dynamic upstream and any
request to the particular apisix gateway URI where the plugin is enabled
gets proxied to the lambda function through the AWS gateway.
Before discussing any plugin-specific information, I want to talk about the
refactoring on #5616 [1]. If we notice closely, all the serverless plugins
from different vendors do one thing in common - terminate the incoming
request and initiate another request to the modified upstream and return
the response body with the headers. Also except for the authorization
information, the attributes of the plugin schema are exactly similar.
That's why #5616 abstracts away the generic code into the
`generic-upstream.lua` module. So any new plugin can make use of this
package module -
How developers should write new (faas) plugins:
1. They should define plugin-specific authorization schema & metadata
schema(if required)
2. Write a request_processor function on the plugin lua file that takes
`plugin conf, ngx context and the URL params (that contains headers, body,
urlpath, query params etc. etc.)". The function can perform a series of
operations including updating/adding the necessary authorization headers,
performing encoding/decoding (base64 or anything) on the body, request
signing etc.
3. And yes, that's it. (see the azure-functions and aws-lambda Lua code for
example)
-- Now again coming back to the aws-lambda plugin, for the initial version
we are going to support authorization via apikey and AWS IAM request
signing.
The authz schema looks like
```
{
type = "object",
properties = {
-- API Key based authorization
apikey = {type = "string"},
-- IAM role based authorization, works via aws v4 request signing
-- more at
https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
iam = {
type = "object",
properties = {
accesskey = {
type = "string",
description = "access key id from from aws iam console"
},
secretkey = {
type = "string",
description = "secret access key from from aws iam
console"
},
aws_region = {
type = "string",
default = "us-east-1",
description = "the aws region that is receiving the
request"
},
service = {
type = "string",
default = "execute-api",
description = "the service that is receiving the
request"
}
},
required = {"accesskey", "secretkey"}
}
}
}
```
I have opened a PR [2] implementing the same including the support for
authorization via request signing with AWS signature v4. So end-users can
choose either one of the two ways to authorize invocations into AWS lambda.
No worries, next week I am going to write a blog discussing the same. Stay
tuned.
Thank you! Feel free to share your views, suggestions or anything.
Best regards,
Bisakh <https://github.com/bisakhmondal>
[1]: https://github.com/apache/apisix/pull/5616
[2]: https://github.com/apache/apisix/pull/5594
