[FEATURE] Example of Serverless Auth REST-API (API-Gateway-Lambda)

[csantanapr]

Is your feature request related to a problem? Please describe

A few users are looking for an example to implement a REST-API using API-Gateway and Lambda with a Lambda authorizer

Describe the solution you'd like

Using upbound provider to create an example

[giedri]

Here is example: https://github.com/awslabs/crossplane-on-eks/tree/main/examples/upbound-aws-provider/composite-resources/serverless-examples/microservice

It uses new composition at https://github.com/awslabs/crossplane-on-eks/tree/main/compositions/upbound-aws-provider/apigw

Composition uses Amazon API Gateway REST API and can be extended to use HTTP API or include additional features (such as usage plans, private integration targets, etc.) as needed.

[giedri]

API

API uses API Gateway REST API endpoint type with OpenAPI definition that includes proxy resource. All requests are passed to the integration target (AWS Lambda) for routing and interpretation/response generation. API Gateway does not implement any validation, transformation, path based routing, API management functions. Users would have to update OpenAPI specification to implement those features.

API Gateway uses Lambda Authorizer for authentication/authorization. However, sample implementation at ./src/authorizer/lambda_function.py allows all actions on all resources in the API if the Authorization header value in the request matches the one stored in the AWS Secrets Manager and retrieved by the Lambda Authorizer when it initializes.

Users shall update authorizer Lambda code according to their authentication/authorization needs. For more details on how to implement Lambda Authorizer, they can check out documentation. or blueprints, Lambda Authorizer code at serverless-rest-api for JWT based authorization examples.

Business logic

API Gateway passes all the incoming requests to the Lambda function and returns response back to the API client. Sample implementation code is available at ./src/logic/lambda_function.py. It expects database table name to be specified in the environment variable TABLE_NAME.

For HTTP GET requests to the API items resource it runs Amazon DynamoDB scan operation and returns all items received as a result. For HTTP GET requests for a particular item (the items{id} resource) it performs get_item operation and returns response from the DynamoDB. PUT request to items resource takes incoming payload, adds UUID as a hash key value, adds current timestamp, and performs DynamoDB put_item operation. It returns payload sent to the Dynamo DB as a response body to the API client.

Database

Example uses DynamoDB table to store data. Database definition is hardcoded in the composition and includes just a single required id field that is used as a hash key. Users would need to modify this structure and business logic Lambda code to implement anything more complicated than simple CRUD operations.