An Opinionated View of AWS SAM Connectors

A newer version of AWS SAM CLI (1.59.0) was released two days ago and its change-log indicates new capabilities associated with AWS SAM Connectors.

SAM connectors are constructs designed to reduce the complexity of authoring IAM permissions that adhere to least privilege principles. The example below portrays a basic usage of SAM Connector to define a minimal integration between a Lambda function and a DynamoDB.

Pay attention to the AWS::Serverless::Connector resource with a logical ID of "WriteFunctionConnector". It requires one to define:

  • A Source — Source of event (EG. API Gateway, S3, DynamoDB)
  • A Destination — Often a storage (DynamoDB, S3), asynchronous invocation medium (SQS, SNS, Step Functions) or compute (Lambda)
  • Permissions granted to source — AWS SAM will automatically compose the necessary access policies required for this connection to work.

SAM Veterans May Not Agree with "Simple"

As a daily user of SAM-templates for the past 3 and a half years, I personally find defining constructs worth 9 lines of code more tedious compared to using SAM policy templates that would typically require 3 lines of code for simple use-cases. SAM Connectors maybe more viable for more complex IAM definitions like Secrets Manager, Amazon Transcribe, Amazon Comprehend.

By using SAM policy templates, it only takes 3 lines of code to grant the put function the same write permission to a similar DynamoDB table defined on the previous example.

It However Reduces the Entry Barrier to Writing COMPLEX IAM Policies

I could remember starting to define my own IAM permissions using IAC tooling a couple of years ago, it was especially painful because some integrations did require me to write custom IAM roles (EG. Transcribe , Secrets manager, Comprehend) for more advance Lambda use-cases.

IMHO, SAM connectors bring value to engineering teams by reducing the level of complexity associated with creating and reading COMPLEX IAM policies.

By abstracting away the definition of "Write" and "Read" capabilities, SAM Connectors may have a huge impact on:

  1. Grooming serverless rookies.
  2. Scaling number of engineers who can write more advanced IAM policies.
  3. Automatic grant of newer "Read" and "Write capabilities" to your workloads.

Number of Integrations Matter

One common pitfall an engineering team could potentially encounter when using SAM connectors is abusive usage of SAM connectors. Just imagine a Lambda function that needs to access three different DynamoDB tables.

Do engineers really need to write 27 lines of code for this? I would say no and just go ahead with using SAM policy templates for simpler use-cases like providing write and read permissions to DynamoDB tables or managing s3 buckets.

Using SAM Connectors and Policy Templates Together

IMHO, SAM connectors do n ot render SAM policy templates obsolete and vice versa. SAM connectors and policy templates can be used in conjunction with each other when building more advanced SAM templates.

An example of this could be an integration with AWS services that require complex IAM definitions (Secrets Manager, Transcribe, Lex, Comprehend), DevOps service, etc.) and simple IAM definitions (DynamoDB Write, S3 Write, SQS Publish, etc.) at the same time.

Maintainability and Security

SAM abstracting the definition of "Read" and "Write" is a double-sided broadsword that one could brandish.

In the event of AWS releasing new capabilities that could get classified as "Read" permission. Upgrading your AWS SAM CLI could either harm or benefit your organization by adding new "Read" capabilities without explicit instructions from your engineering team. The same goes for "Write" permissions which often lead to unnecessary grants of data manipulation capabilities to functions that may not need every single write feature.

Abstracting away the definition of "Read" and "Write" may break the repeatability of resource definitions (Which is the whole point of Infrastructure-as-Code) if the AWS SAM team don't consider versioning the "Read" and "Write" definition in the future.

Spread in Different Sections Could be Fatal

Imagine working on large SAM projects that involve multiple CloudFormation stacks and large SAM templates (2000+ lines of code).

If engineering teams do not define how to group the SAM connector templates, SAM connectors can spread into different sections of large SAM templates.

This phenomenon could easily make maintenance a nightmare as engineers have to seek integration definitions in multiple places when trying to maintain code written by other engineers.

Conclusion

  • SAM Connectors reduce the effort required in defining "complex" integrations between resources that didn't have SAM Policy Templates previously by abstracting the definition of "read" and "write" permissions to AWS resources.
  • SAM Policy templates are more efficient in terms of code lines required to define simple integrations to traditional destinations like S3 buckets, DynamoDB tables, SQS queues, etc.
  • SAM Connectors provide a more flexible way of specifying source and destination by offering different parameters (ARNs, IDs, Names, ETC.) compared to the limited name-based SAM Policy templates that we once had.
  • SAM Connectors increased the number of code lines required to define integrations. Spreading SAM connector definitions across a template could also increase the maintainability burden of SAM templates by spreading out integration details in different sections of large SAM templates.

I'm interested to know your opinions about SAM connectors. Write you r thoughts down in the comments section. I'll love to have a discussion with you regarding SAM connectors.

References

An Opinionated View of AWS SAM Connectors was originally published in Towards AWS on Medium, where people are continuing the conversation by highlighting and responding to this story.

Namaste Devops is a one stop solution view, read and learn Devops Articles selected from worlds Top Devops content publishers inclusing AWS, Azure and others. All the credit/appreciations/issues apart from the Clean UI and faster loading time goes to original author.

Comments

Post a Comment

Did you find the article or blog useful? Please share this among your dev friends or network.

An android app or website on your mind?

We build blazing fast Rest APIs and web-apps and love to discuss and develop on great product ideas over a Google meet call. Let's connect for a free consultation or project development.

Contact Us

Trending DevOps Articles

EC2 Random name Generator using Python script

Happy to show you all my latest project in python. ** EC2 Random Name Generato r** This python project is about generating a unique name for the "x" number of EC2 instances for a department and generating random characters and numbers that will be included in the unique name. This is especially important when in an organization, there are so many users, departments sharing an AWS environment. This ensures that they are properly named and are unique so any team member can easily tell to which department he/she belongs to. The ONLY departments that should use this Name Generator are Marketing, Accounting and FinOps. The user then lists these departments as options and if a user puts another department, the program will print a message that they should not use this Name Generator and the program should exi t. Also it checks whether an input has an incorrect upper or lowercase letters for the corresponding department. This program also checks for any negative number input for ...
Read more

Reduce your Google Cloud Spend

Trying to reduce your spend seems to be easy, starting by : Shutting down your resources when you don't use it Deleting your unused resources Control who can enable new resources But sometimes it's not enough ! Try to check what are the most used services by looking at your billing export : There is 2 very interesting services in this list : Cloud Run Cloud SQL What can we do for these two ? Committed use discounts (CUDs) for Cloud Run is a 17% discounted pricing in exchange of a continuously use in a particular region for a one year term minimum (up to 3 years max). You commit is in dollars per hour of equivalent on-demand spend. In exchange, you receive a discounted rate on the applicable usage your commitment covers. It's only counting for one specific choosed Google location Any overage is charged at the on-demand rate. You still receive the same discount percentage on applicable usage in the event of a price change. The commitment fee is billed monthly. It's a...
Read more

Approach 1-Integrating Gitlab repository with Cloud Build Triggers via webhook and creating CI/CDรข€¦

Approach 1-Integrating Gitlab repository with Cloud Build Triggers via webhook | CI/CD pipelines with GKE Hello everyone ๐Ÿ‘‹, In this blog we will build the code from Gitlab repository and deploy our code to Google Kubernetes Engine by integrating it with Cloud Build. Photo by Nicolas Gonzalez on  Unsplash As we can see Cloud Build Triggers doesn't give direct option to build our code from Gitlab repository . Only Github, Bitbucket and Google Source Repository are available. So for selecting Gitlab as a source repository , we have 2 approaches. Approach 1  —  In order to build our code with Gitlab, we need to introduce Gitlab webhooks to build our code and to automate our builds in response to webhook events. Approach 2  —  ( Best Practise ). By creating Mirroring of Repository between Gitlab and Google Cloud Source Repository to use advanced features with our builds that CSR(Cloud Source Repository) provides . In this method we will first mirror the Gitlab repository, then we w...
Read more

Anthos Config Management

Hey everyone, I hope you all are doing well. You might have read my previous article on Anthos Service Mesh. In this article, I wanted to give you an overview of Anthos Config Management. For a career in tech, subscribe to The Cloud Pilot Anthos Config Management Overview Anthos Config Management is a configuration and policy management service that enables continuous protection and configuration of Google Cloud. It consists of three components: Policy Controller, Config Sync, and Config Controller Benefits Many benefits come along with Anthos Config Management since it automatically synchronize s configurations and applies policies across multiple clusters. Some of them are: Simplified Management Consistent configurations and policy management Scalability across environments Security and Compliance Components As mentioned earlier, 3 components work together as a single service called Anthos Config Management. They are: Policy Controller Policy Controller enables the enforcement of...
Read more

From Cloud Chaos to Cloud Smart With Multi-Cloud Services

Organizations that embrace multi-cloud services experience real results and a heap of advantages—including greater resiliency, agility and data sovereignty. This is why it's no surprise the majority of enterprises today are using two or more public clouds, with 81% reporting in a recent survey that they plan to adopt a multi-cloud strategy by 2024. But […] The post From Cloud Chaos to Cloud Smart With Multi-Cloud Services appeared first on DevOps.com . Namaste Devops is a one stop solution view, read and learn Devops Articles selected from worlds Top Devops content publishers inclusing AWS, Azure and others. All the credit/appreciations/issues apart from the Clean UI and faster loading time goes to original author .
Read more

Popular DevOps Categories

AWS Devops aws devops use cases best devops tutorial for beginners AWS DevOps Guru Azure Business Analytics DataOps DataOps Automation DevOps Interview Questions
Docker aws cdk application load balancer AWS CDK Application security AWS CDK application Application Load Balancers with DevOps Guru Auto scale group Automation Autoscale EC2 Autoscale VPC Autoscaling AWS Azure DevOps Big Data BigQuery CAMS DevOps Containers Data Observability Frequently Asked Devops Questions in Interviews GCP Large Table Export GCP Serverless Dataproc DB Export GTmetrix Page Speed 100% Google Page Speed 100% Healthy CI/CD Pipelines How to use AWS Developer Tools IDL web services Infrastructure as code Istio App Deploy Istio Gateways Istio Installation Istio Official Docs Istio Service Istio Traffic Management Java Database Export with GCP Jenkin K8 Kubernetes Large DB Export GCP Linux MSSQL March announcement MySQL Networking Popular DevOps Tools PostgreSQL Puppet Python Database Export with GCP Python GCP Large Table Export Python GCP Serverless Dataproc DB Export Python Postgres DB Export to BigQuery Sprint Top 100 Devops Questions TypeScript Client Generator anti-patterns of DevOps application performance monitoring (APM) aws amplify deploy blazor webassembly aws cdk application load balancer security group aws cdk construct example aws cdk l2 constructs aws cdk web application firewall aws codeguru reviewer cli command aws devops guru performance management aws service catalog best practices aws service catalog ci/cd aws service catalog examples azure Devops use cases azure devops whitepaper codeguru aws cli deploy asp.net core blazor webassembly devops guru for rds devops guru rds performance devops project explanation devops project ideas devops real time examples devops real time scenarios devops whitepaper aws docker-compose.yml health aware ci/cd pipeline example host and deploy asp.net core blazor webassembly on AWS scalable and secure CI/CD pipelines security vulnerabilities ci cd pipeline security vulnerabilities ci cd pipeline aws smithy code generation smithy server generator
Show more