anyone know why creation of a CloudFront public key would fail like this?

Resource handler returned message: "Invalid request provided: AWS::CloudFront::PublicKey" (RequestToken: 1457a7a8-cd44-1785-514a-317b7c2dd2d9, HandlerErrorCode: InvalidRequest)

as usual, not much error detail from AWS 😕

const publicKeyContents = fs.readFileSync('./public_key.pem');
  const publicKey = new cloudfront.PublicKey(stack, 'PublicKey', {
    encodedKey: publicKeyContents.toString(),
    publicKeyName: 'Signature verifier',
  });

Is it possible to develop live an already deployed stage? Basically can I do

npx sst start

after

npx sst deploy

?

Is it possible to make an http api authorizer limit routes to users that are in an "Admin" group in cognito or would I need to check their group in the actual lambda function?

what does

Bucket.fromBucketArn

do? it seems like it creates a new bucket, because it requires a resource ID. but based on the name, I’d assume it just points to another bucket. I basically want to point to an existing bucket and not create anything extra

it seems impossible to create a RDS subnet group without using private subnets.. which, when created with CDK, require NAT gateways. 😕 if I try “isolated” subnet types, then I can’t create the

rds.SubnetGroup

:

There are no 'Private' subnet groups in this VPC. Available types: Isolated,Public

it is NOT required to have NAT gateways. am I missing something? I have an existing setup in another account that works perfectly with a DB subnet group of private subnets, and there are no NAT gateways. EDIT: does my RDS DB even need to be in a VPC? 🤔 I must’ve configured it that way before for some good reason. can Lambdas not access the DB otherwise?

Just now actually trying to setup an SST app with cognito and one httpapi route guarded by cognito auth and I am getting this when trying to run: Anyone know what I might be doing wrong?

hey folks! I’m trying to deploy my app using assumed role (added few steps in

seed.yml

) • I used

aws sts assume-role

command and successfully assumed the role • I then exported new aws credentials to the shell • and I can see that the role was assumed properly • problem: I suppose my tweaked environment is not respected in the subsequent shell (just as this docu says) where the actual deployment… is there a way to overcome this?

Hey there, I am trying to deploy from a github action and I am getting this error

Need to perform AWS calls for account my-account, but no credentials have been configured

I did set the

AWS_ACCESS_KEY_ID

and

AWS_SECRET_ACCESS_KEY

using the

seed

generated keys.

when I’m promoting changes from staging to prod, is there a way to enable that is also merges branched correspondingly staging -> main?

Happy Sunday everybody! Having a bit of a challenge debugging locally when using a monorepo setup. My repo looks like this:

project

app

server

types

SST is inside the

server

dir,

app

is for my react-native app, `types`is for my typescript types & interfaces that are shared between the two. When I run tests locally, code in

server

can `import { IType } from "@project/types"`successfully. Also, everything works flawlessly when deployed to AWS. However, when I debug a lambda function locally that uses the `import`above, I get the following error: ERROR Error: Cannot find module ‘/Users/davidmartin/dev/myapp/node_modules/@project/types/dist/index.js’. Please verify that the package.json has a valid “main” entry I can debug lambda’s locally when: 1. The lambda does NOT import from

@project/types

2. If I run `npx tsc`and put and

outdir

as “dist” in my tsconfig.json, then dist/index.js is found and debugging works But it feels weird to run `tsc`in my types directory before I debug. I don’t think I should have to do that. I don’t run

npx tsc

at other time. It’s also a bit weird now to have a `dist`directory. Thoughts?

Hey guys, I’m using TypeORM for my services, and works pretty much well. Now, I’m trying to design a solution that can allow me, on my lambdas, to create a connection to the DB only once, and also allow me to have cleaner lambda source code. Does somebody investigated a way to create a TypeORM initialization from a lambda-layer? Or maybe creating a wrapper/middleware that can encapsulate each lambda and provide them a live connection? My goal is to not repeat the

orm.init()

call on every lambda, which also has to keep that connection on the scope.

I’ve got some

tsconfig.path

weirdness going on, specifically with

paths

aliases. I have this in my config:

{
  "compilerOptions": {
    "baseUrl": "src",
    "paths": {
      "@libs/*": ["libs/*"]
    },
    // ..etc

and yet when I try to use this shortcut in my code:

just dumping this here in case it helps anyone. this is my SST monorepo structure. my convention is, anything named “libs” is shared stuff. so I renamed the default “libs” to “infra”. I have a core stack that everything depends upon, then other stacks that build on that.. for now, just api is done, but others will follow (media-processor, etc)

../v2-microservices
├── README.md
├── cdk.context.json
├── infra
│   ├── api
│   │   ├── appsync.ts
│   │   ├── graphql-schema.gql
│   │   ├── rest-routes.ts
│   │   └── stack.ts
│   ├── core
│   │   ├── auth.ts
│   │   ├── buckets.ts
│   │   ├── cloudfront.ts
│   │   ├── database.ts
│   │   ├── ec2-tunnel.ts
│   │   └── stack.ts
│   ├── index.ts
│   └── libs
│       ├── get-ssm-parameter.ts
│       ├── route-helpers.ts
│       └── types
│           └── infra.ts
├── package.json
├── public_key.pem
├── src
│   └── services
│       ├── auth
│       │   ├── cognito-email-sender.ts
│       │   └── package.json
│       ├── graphql
│       │   ├── package.json
│       │   └── tracking.ts
│       └── rest-api
│           ├── functions
│           │   ├── create-thing.spec.ts
│           │   ├── create-thing.ts
│           │   └── get-things.ts
│           ├── package.json
│           ├── routes
│           └── util
├── sst.json
├── tsconfig.json
└── yarn.lock

13 directories, 29 files

is there some trick to getting a custom

.eslintrc.js

working in an SST project? it seems to be ignoring my rules

any idea why

yarn deploy

would output excess stuff I didn’t request?

Outputs:
    BastionHostBastionHostIdC743CBD6: xx
    BastionHostId: xx
    BastionHostZone: us-east-1a
    ExportsOutputRefUserPool6BA7E5F296FD7236: xx
    ExportsOutputRefUserPoolClient2F5918F753847A55: xx
    UserPoolId: xx

but this is what I’m actually requesting to output:

this.addOutputs({
      BastionHostId: bastionHost.instanceId,
      BastionHostZone: bastionHost.instanceAvailabilityZone,
      UserPoolId: auth.cognitoUserPool!.userPoolId,
    });

It seems it is not possible to set a different authorizer per route using the Api struct in SST. It always uses the defaultAuthorizer if set, and if not set it uses no authorizer.

Does somebody has experience with

Middy

or

lambda-middleware

libraries? I want to build a middleware that can GET some “secret attributes” during runtime from SSM, and I don’t want to put the “get parameters” call on each function code… I want to encapsulate all that and put them in a “context”. Looking for ideas, I think Middy should work fine for this?

Hi all, I am aiming to move my business logic outside of the handler function for easier unit testing. Suppose I move my business logic outside of the handler file that houses my lambda function handler. How would SST know to grab this file and the relevant imports upon deploying the application to AWS? Would it bundle the code up automatically?

I'm using the StaticSite construct for my domain which isn't on Route 53. After deployment I can configure the distribution manually (via the console) with an ACM certificate and "Alternate domain name (CNAME) - optional"; all works fine until the next redeployment. If I set these in SST via config.cfDistribution then I get fatal errors "Do not configure the cfDistribution.domainNames ...."  and "Do not configure the "cfDistribution.certificate ..." "... use the customDomain ...".  However, the documentation says that customDomain is only for Route53 domains. Should those fatal errors be just warnings if the customDomain property is not specified? Or is there another solution I'm missing?

Hello, I'm getting an access-denied error when I checked the IAM, I've full cloudwatch log resource access. Do I need to add any extra permission? Error is: AccessDeniedException: User: arnawssts:&lt;account id&gt;assumed-role/dev-sst-lambda-project-CustomMessageSubscriber0Servic-WPZ64QBFPMK/dev-sst-lambda-project-CustomMessageSubscriber0A30F89-glnN4McVNcwU is not authorized to perform: logs:DescribeMetricFilters on resource: arnawslogsus east 1<account_id>log groupnulllog stream at Request.extractError (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\protocol\json.js52:27) at Request.callListeners (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\sequential executor.js106:20) at Request.emit (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\sequential executor.js78:10) at Request.emit (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js688:14) at Request.transition (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js22:10) at AcceptorStateMachine.runTo (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\state machine.js14:12) at D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\state machine.js26:10 at Request.<anonymous> (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js38:9) at Request.<anonymous> (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js690:12) at Request.callListeners (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\sequential executor.js116:18) { code: 'AccessDeniedException', time: 2021-08-09T113419.378Z, requestId: '7bf18aea-43b7-4e14-9414-8c9664bfed48', statusCode: 400, retryable: false, retryDelay: 96.72244526808682 }

Anyone know how to get insight into apigateway latency? The default cloudwatch logs setup for the httpApi show responseLatency as 0 when the authorizer fails, and the authorizer obviously took time to process and I want to know how long a request took from apigw -> authorizer -> integration -> response.

has anything changed with how apig-test should work lately? The contents of my

event.requestContext.identity

from the lambda is all nulls, but I'm verifying that the cognito user is being verified correctly by aws-api-gateway-cli-test itself, resulting in that looks like a good accessKey, secretKey, and sessionToken from AWS.config.credentials....

Hey all, this might be more of a CDK question than anything. But does anybody know if there's anyway to not wait for Cloudfront Invalidations? Not a huge deal but:

UPDATE_IN_PROGRESS | AWS::CloudFront::Distribution | AuthSPADistribution60D2FDA1 
Checking deploy status...
Checking deploy status...
Checking deploy status...
... repeat for 10 minutes

is driving me insane.

Does anyone know if it's possible to use CloudFront + Lambda@Edge to rewrite content served to a user? E.g. if a user accessed a file on my CDN that ends in a certain extension, a Lambda function is invoked to somehow modify that file's content before serving it to the user

I’m running into an issue, which I believe used to work in the past, but is now broken .. maybe? When deploying a sst.Api into a VPC and private subnets, it works fine in

deploy

but fails in debugging

start

mode. I noticed that the debug lambda functions are not deployed into the VPC. Could that be the issue?

I'm having some issues using UUID it keeps saying

(0 , import_uuid.version) is not a function

anyone know how to fix this? I tried setting it in the nodeModules array on the function bundle but that did not changing anything.

How to exclude

node_modules

in the testing coverage report? I tried with

sst test --coverage

showing the node_modules files also in the coverage report.

Hi all, I am having some issues setting permissions for a function that clears a dynamodb table (this function is only used for testing, so I am ok with letting it wipe the entries in a table): I define the function as follows:

const clearDynamodbTableFunction = new Function(this, 'ClearDynamodbTableFunction', {
        srcPath: "src/helpers/clear_table",
        handler: 'index.handler',
        timeout: 30,
        environment: env,
        permissions: ["ssm", skillsTable, usersTable]
      });

skillsTable

and

usersTable

are tables I create earlier. I put this function behind an API:

api.addRoutes(this, {
        "DELETE /clear-table/{table-name}": clearDynamodbTableFunction,
      });

However, upon hitting this API endpoint, I get the following message:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeTable operation: User: arn:aws:sts::123:assumed-role/dev-sst-integration-my-st-ClearDynamodbTableFuncti-1T3MU86FI83FK/dev-sst-integration-my-st-ClearDynamodbTableFuncti-eQz66VCa26mn is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1:table/UsersTable

Anyone got any ideas why this happens? I thought I was giving my function full access to the table.

Hi all, I want to enable warming for some of my lambdas but I need to give the lambda permission to invoke itself, is there a way we can do that with SST?

Hi all, I’m currently running into SNS message

Invalid parameter: Message too long

error. My payloads are variable in size and can exceed 256kb. I’m just wondering what is considered best practice for transfering data between services when payload size is too big for sns/sqs? I’ve been reading that S3 bucket and passing signature link via sns message is one method. Does anyone have any other options to investigate?