LazyStack
Using Multiple ApiGateways
LazyStack can generate stacks with one or more ApiGateways. This is normally done to optimize the cost and security for different functionality in your app. Here is an example where we provide two ApiGateways and map our OpenApi routes to four tags. Your application may have very different security requirements; but this example should give you a good idea of the flexibility you have to address your specific requirements.
Your OpenApi tags must reflect the security requirement. This is best understood by example. Here's an OpenApiSpec snippet with four tags that allow us to specify some routes need to be handled in a "secure" way.
# PetStore.yaml
openapi: 3.0.0
info:
...
tags:
- name: order
- name: orderSecure
- name: pet
- name: petSecure
...Each tag generates a Lambda Function project and AWS Resource.
| Tag | Project | AWS Resource |
|---|---|---|
| order | Order.csproj | Order AWS::Serverless:Function |
| orderSecure | OrderSecure.csproj | OrderSecure AWS::Serverless:Function |
| pet | Pet.csproj | Pet AWS::Serverless:Function |
| petSecure | PetSecure.csproj | PetSecure AWS::Serverless:Function |
Next you we map the tags to ApiGateways that provide the desired security. This is accomplished using the ApiTagMap directive in the LazyStack.yaml file:
# LazyStack.yaml
ApiTagMap:
ApiSecure:
- orderSecure
HttpApiSecure:
- pet
- order
- petSecure| Tag | Project | AWS Resource | ApiGateway |
|---|---|---|---|
| order | Order.csproj | Order AWS::Serverless:Function |
HttpApiSecure AWS::ApiGateway::HttpApi |
| orderSecure | OrderSecure.csproj | OrderSecure AWS::Serverless:Function |
ApiSecure AWS::ApiGateway::Api |
| pet | Pet.csproj | Pet AWS::Serverless:Function |
HttpApiSecure AWS::ApiGateway::HttpApi |
| petSecure | PetSecure.csproj | PetSecure AWS::Serverless:Function |
HttpApiSecure AWS::ApiGateway::HttpApi |
The references to HttpApiSecure and HttpApiSecure will cause these predefined ApiGateways resources to be included in your application's serverless.template file. The lambdas will be configured to be called from the ApiGateway they are mapped to as shown in the following diagram:
The ApiGateways, not the Lambda Functions, provide end-point security in this model. The Lambda Functions are provisioned to allow access only from the ApiGateway they are associated with.
- ApiSecure - Client computes unique signature for each request. Signature is in HttpRequest Authorization header.
- HttpApiSecure - Client acquires single JWT token. JWT token is in HttpRequest Authorization header.
The LazyStackAuth and ClientSDK libraries handle the signing of HttpRequests for you.
RoutesThe final step in configuring your security is to assign one of the four tags to each of the routes in your OpenApi specification. The LazyStack ClientSDK will ensure the route associated with the tag is available in the correct ApiGateway and the correct security is applied to that route.