Hey guys, have a general question of how you guys build your websites… I have a React + Typescript frontend app, living in a repository. Then I have a backend app, living in another repository, built with NestJS + Typescript. This backend app it’s a REST API built for the frontend, in a “BFF style”. My goal…. I want to share the TYPES between both applications, due most of them has to be repeated in the consumer and the producer. I been thinking in 4 different alternatives to share those types: 1. Build a third repository, which would be like

@types/mycompany

and put it as a

devDependency

on both projects. 2. Put the backend project as a

devDependency

of the frontend project. 3. Use an “API client generator” like swagger/OpenApi or something similar that can auto-generate types. I don’t know much how to share the types here yet, but it’s a theory. 4. Use a mono-repo strategy… I don’t like this due my company already uses separated repos for each app. What should I do? anybody else doing any of these?

I'm trying to reduce the AWS permissions on the IAM user that deploys/drops SST stacks and have actually switched to using a service role for CloudFront as per @Frank’s recommendation and using the --role-arn flag on sst commands. I've been able to remove a stack bu now trying to recreate it I'm getting the following weird error :

Bucket named 'cdk-hnb659fds-assets-055101xxxxxx-us-west-2' exists, but not in account 055101xxxxxx. Wrong account?

I've replaced the last 6 digits with x in the paste above but they were exactly the same. Any idea ? I've tried enlarging my S3 perms to * resources (I had 'cdk-*' before) but no difference. Should I just try manually deleting the bucket and see if that helps ? In my existing buckets there is also the same bucket but with us-east-1 in the end.

Anyone doing contract testing with any event system in aws e.g. SNS, SQS, and Eventbridge

Maybe a question for the wrong place, but is it possible to assign multiple different `DomainName`s to an API? And asssign them to the base path? E.g.

<http://api-x.company.com|api-x.company.com> -> /

<http://api-y.company.com|api-y.company.com> -> /

?

Hi everyone, I’m trying to build a prototype for a “multi-tenant app” (let’s say a Shopify, something similar to seed.run) which might turn kinda complex, here are the main features: • Teams/ACL support: so you can create a team and invite members to manage or access the app (depending on permissions). • Each team (tenant) has it’s own list of items (let’s say products), store settings and so In my mind there is an app for the dashboard where the user can manage it’s team and the team can manage the items of the store and then there is a separated table for each store and their stuff. That said here are my questions: Do you think it makes sense to create an individual table for each store (+ also a dedicated bucket for each store’s assets)?; it make sense to me b/c that way I can have a better accuracy on the actual billing for each customer (team) Have you seen any example for these kind of situations? (I was just able to find a issue without any other reference: https://github.com/AnomalyInnovations/serverless-stack-com/issues/331) This is pretty much a complex scenario, right, but also I think it’s a common one so I just wanted to have thoughts on what would make more sense here for the SST and serverless approach.

I have a very weird error. I had a functional stack. I decided to reduce the AWS permissions on the IAM user that deploys/drops SST stacks and have actually switched to using a service role for CloudFront using the --role-arn flag. That involved a lot of steps including re-bootstrapping CDK and lot of trial and error to get the policies right. Now it deploys and works again EXCEPT for one specific API call that with certain parameters and not others generates a runtime error in the live dev mode. I've stepped thought it and the error occurs after "my" lambda code ends and returns the result. The error seen on the server is a 403 access denied on S3

a625b40c-04d9-4cbe-90b7-8324e904055a REQUEST DEV-ERIK-dwam-back-my-sta-ApiLambdaGETassets0D68A0-FzosTE9J9tP7 [src/routes/assets_get.main] invoked by API GET /assets
a625b40c-04d9-4cbe-90b7-8324e904055a RESPONSE {"headers":{"Content-Type":"application/json"},"statusCode":200,"body":"{\n  \"csvHeader\": \"latitude,longitude\",\n  \"csvData\": \"37.65728378,-122.4156265\\r\\n37.65734863,-122.41... 177051 more characters"}
Failed to upload payload to S3. AccessDenied: Access Denied
    at Request.extractError (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/services/s3.js:714:35)
    at Request.callListeners (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/Users/erik/src/dataworks/dwam-back/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'AccessDenied',
  region: null,
  time: 2021-12-21T21:20:09.867Z,
  requestId: 'R0H1MF37YG9JSGTQ',
  extendedRequestId: 'SXswySS3eGF3DkYb/YjNO8YIw2T911TZViSQZbivYh6VHH71nfQP33L1lTVTA6oixDM5oFvwEuc=',
  cfId: undefined,
  statusCode: 403,
  retryable: false,
  retryDelay: 43.50154802428319
}

and when I check the Cloudwatch logs I see this 404 on S3 :

2021-12-21T22:20:05.498+01:00	START RequestId: a625b40c-04d9-4cbe-90b7-8324e904055a Version: $LATEST

2021-12-21T22:20:05.517+01:00	2021-12-21T21:20:05.516Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO connectAndSendMessage()

2021-12-21T22:20:05.641+01:00	2021-12-21T21:20:05.641Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO ws.onopen

2021-12-21T22:20:05.641+01:00	2021-12-21T21:20:05.641Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO sendMessage() - send request

2021-12-21T22:20:05.643+01:00	2021-12-21T21:20:05.642Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO sendMessage() - sending request via WebSocket

2021-12-21T22:20:05.644+01:00	2021-12-21T21:20:05.643Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO sendMessage() - start keep alive timer

2021-12-21T22:20:10.189+01:00	2021-12-21T21:20:10.188Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO ws.onmessage {"action":"client.lambdaResponse","debugRequestId":"a625b40c-04d9-4cbe-90b7-8324e904055a-1640121605516","stubConnectionId":"Kt-45fnPPHcCGBQ=","payloadS3Key":"payloads/a625b40c-04d9-4cbe-90b7-8324e904055a-1640121605516-response"}

2021-12-21T22:20:10.189+01:00	2021-12-21T21:20:10.189Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO receiveMessage()

2021-12-21T22:20:10.189+01:00	2021-12-21T21:20:10.189Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO receiveMessage() - received payloadS3Key

2021-12-21T22:20:10.256+01:00	2021-12-21T21:20:10.256Z a625b40c-04d9-4cbe-90b7-8324e904055a INFO [AWS s3 404 0.065s 0 retries] getObject({ Bucket: 'dev-erik-dwam-back-debug-stack-bucket83908e77-1awrh01i15tnq', Key: 'payloads/a625b40c-04d9-4cbe-90b7-8324e904055a-1640121605516-response' })

2021-12-21T22:20:10.259+01:00	2021-12-21T21:20:10.259Z a625b40c-04d9-4cbe-90b7-8324e904055a ERROR Unhandled Promise Rejection {"errorType":"Runtime.UnhandledPromiseRejection","errorMessage":"NoSuchKey: The specified key does not exist.","reason":{"errorType":"NoSuchKey","errorMessage":"The specified key does not exist.","code":"NoSuchKey","message":"The specified key does not exist.","region":null,"time":"2021-12-21T21:20:10.253Z","requestId":"0G7QZ64M4EVDDPV5","extendedRequestId":"Zk5DMRznR+DMrIMUD0jYqUlGn2aejxk6E+Gl0WupDfZCynNyUKOzjWUJPK10Pseeu80tzGB6t4o=","statusCode":404,"retryable":false,"retryDelay":8.646154170322662,"stack":["NoSuchKey: The specified key does not exist."," at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:699:35)"," at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)"," at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)"," at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)"," at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)"," at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)"," at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10"," at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)"," at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)"," at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"]},"promise":{},"stack":["Runtime.UnhandledPromiseRejection: NoSuchKey: The specified key does not exist."," at process.<anonymous> (/var/runtime/index.js:35:15)"," at process.emit (events.js:314:20)"," at process.EventEmitter.emit (domain.js:483:12)"," at processPromiseRejections (internal/process/promises.js:209:33)"," at processTicksAndRejections (internal/process/task_queues.js:98:32)"]}

2021-12-21T22:20:10.275+01:00	END RequestId: a625b40c-04d9-4cbe-90b7-8324e904055a

2021-12-21T22:20:10.275+01:00	REPORT RequestId: a625b40c-04d9-4cbe-90b7-8324e904055a Duration: 4775.65 ms Billed Duration: 4776 ms Memory Size: 1024 MB Max Memory Used: 28 MB XRAY TraceId: 1-61c24505-337b01bf10f9f70f44866cac SegmentId: 247605f67fd8dd26 Sampled: true

2021-12-21T22:20:10.275+01:00	Unknown application error occurred

I'm eager to see if any of you have any idea ?

@thdxr hey mate - by having Cognito configured to use email links instead of codes for confirmation, I’m having this error:

Cannot perform specific action because there does not exist a valid use pool domain associated with the user pool

How do I set a domain+name on the

Auth

construct? Couldn’t find it on the userPool or userPoolClient props

Hey 🙂 I'm having an issue updating lambdas in AWS - I change the code of a handler, do

sst build

, then

sst deploy

, but I see

no changes

in the output and end up having old version of my lambdas in AWS. Is there a step that I'm missing? The only way I've found so far to "refresh" the lambda code is to remove a route, redeploy, add the route back and deploy again. I assumed that lambda code will get uploaded when I deploy even if there are no changes to the stack configuration, but it doesn't seem to be the case

Hello, can I use a custom domain for

AppSyncApi

? or it's not supported

Hey hey 👋 Moving over from serverless framework, I'm having an issue running an Apollo GraphQL API locally via

sst start

. I'm using

sst.ApolloApi

, essentially the exact example here. The response from my lambda is a

404

, and when attempting to load the endpoint in browser, I get:

Cannot GET /

Any hints?

Anyone have any examples of adding a GSI1PK example in SST. I’m trying to do the single table design thing. My table is created like

const customersTable = new sst.Table(this, "Customers", {
      fields: {
        pk: sst.TableFieldType.STRING,
        sk: sst.TableFieldType.STRING,
      },
      primaryIndex: { partitionKey: "pk", sortKey: "sk" },
    });

What I want is to make,

createdAt

a secondary primary key so that I can fulfill the access pattern of

getCustomerByCreatedAt

It seems like this is the correct way to do this but I”m not sure.

customersTable.addGlobalIndexes({
      indexName: "createdAt",
      partitionKey: { name: "gs1pk", type: sst.TableFieldType.STRING },
    });

guys, have you tried running cron that uses puppeteer? got an error cannot find module puppeteer/lib/Browser. here are my dependencies "chrome-aws-lambda": "^9.1.0", "puppeteer": "^9.1.1", "puppeteer-core": "^9.1.0"

how can you console.log construct properties in SST/CDK? I just get weird output like

${Token[TOKEN.1210]}

. is there some way to evaluate those? or, really, I’m just trying to figure out the output of

api.url

(

sst.Api

).

Hey there, I'm getting invalid client token id when starting up debugger in vscode with live lambda development, this doesn't occur when not using the debugger. Is there a common fix to this?

Are the recent AWS outages impacting signup / auth? I just saw that some stuff was down but didn’t really actually look

Is there any content related to setting up a new domain from Route53 to my CloudFront app via SST?

I need to install dlib, which requires CMake.

Earlier I was asking about DynamoDB and adding a GSI. With single table design, should there just generally be a handful of GSI’s and I may as well make them when I create the table if they have generic names like

gsi1

and so on?

I'm starting my sst application with

sst start --stage local

but code changes not updating. Live reload not working ? I dont see any errors ? how should I debug this ?

I have a react app hosted via cloudfront which is displayed in an iframe in a 3rd party platform (it's a zendesk application that points to the cloudfront url) and i'm trying to lock it down so that only requests to load content from zendesk are allowed. Zendesk has a feature where it can send a jwt as POST request on the initial page request but i'm having trouble as it doesn't seem possible to deny the request if the jwt is invalid on that one POST request (other GET requests to the content hosted in the s3 origin still make it through) is there any way to accomplish this? I appreciate it's probably a niche issue

When running lambdas locally, will environment variables be available via

process.env

? Based on reading these docs (https://serverless-stack.com/examples/how-to-create-a-crud-api-with-serverless-using-dynamodb.html) it seems like they should be, however I'm getting

undefined

values

Is there a way to pass the is there a way to pass the

api.url

to the functions in one pass?

this.api = new sst.Api(this, "Api", {
      defaultAuthorizationType: "AWS_IAM",
      defaultFunctionProps: {
        environment: {
          API_URL: this.api.url, // like here

I want to have access to it in a route. I suppose I can do it just by using

addRoutes

?

Hrm. How does

sst.ReactStaticSite

allow environment variables to be passed to the frontend app? Does it depend on a particular setup for production deployment? (i.e. availability of scripts, webpack env variable / define plugin, etc

Anyone experienced with

@aws-cdk/aws-secretsmanager

? I need help retrieving my generated secret to format it with postgres url and pass it on as an environment variable to my fargate service. I have the ff code:

import { Secret } from '@aws-cdk/aws-secretsmanager'

const dbCredentials = new Secret(this, 'DBCredentialsSecret', {
  secretName: 'my-db-credentials',
  generateSecretString: {
    secretStringTemplate: JSON.stringify({
      username,
    }),
    excludePunctuation: true,
    includeSpace: false,
    generateStringKey: 'password',
  },
})

I’ve tried outputting the ff syntaxes:

dbCredentials.secretValueFromJson('password').toString()
ECSecret.fromSecretsManager(passwordSecret, 'password')

but they only show me the gibberish value (or something similar):

{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:732453962214:secret:my-db-credentials-c3Qjjv:SecretString:password::}}

How do you guys go about granting access to encrypted parameters in Systems Manager - Parameter Store? We currently store the path to the parameter in an env var and then do:

const kmsKey = Key.fromKeyArn(this, 'kmsKey', process.env.KMS_KEY_ARN);
const someParam = ssm.StringParameter.fromSecureStringParameterAttributes(this, 'theParam', {
  parameterName: process.env.THE_PARAM_PATH,
  encryptionKey: kmsKey,
  version: parseInt(process.env.THE_PARAM_VERSION),
});
// define some functions
kmsKey.grantDecrypt(theFunction);
fsmCredsParam.grantRead(theFunction);

(In actual fact, rather than storing the version in a separate env var, we store it like /some/path/to/param:2 and split it around the colon.) However, the problem with this is that the developer needs to update the env vars each time the parameter is changed to reflect the new parameter version which is a manual step that can (and does) get forgotten. The version is mandatory and you can't specify a wildcard. Is there a slicker way of doing this?

Hey Folks, I am looking for some researched opinion on: For server-side translation, is it better to: 1. Send a language code in all client requests and then have the server choose the correct language response based on the language code in the request 2. Don’t do any server-side translating at all and send back generic codes that the frontends have knowledge about and they choose the correct language and response based on the code I used to feel strongly about #2, but I’m also thinking about introducing cloud based language localization system Crowdin, #1 may be the way to go. Could you guys please let me know how you are doing and what’s you recommendation based on your research. Great Thanks for your precious time and Merry Christmas 🎄🎅 to All 🎉

Hi All , A query related to S3 access authorization. We can use UUID in Identity pool for restricting to own folder. What if in an application, we need users to share S3 objects with each other ? Like the object is in my folder . But I have shared this object with another user. So when the other users logs in , he should be able to access the object. How do we write the IAM role in this case ?

Hi, I'm looking into organizing my project where I have an Apollo "BFF" API and a NextJS project that together form 1 application. According to the guide, its best to have each containing their own stack, but given the simplicity of both services I would rather go for a structure in which 1 SST "app" controls both services. They 'do' however have different deps (for example the BFF has apollo-server-lambda while the NextJS project has Next and React:

/app/
/app/package.json
/app/lambda.js
/bff/
/bff/package.json
/bff/lambda.js
/stacks/
/stacks/AppStack.js
/stacks/BFFStack.js
/stacks/index.js // Would deploy both stacks
package.json // Contains SST
sst.json

So essentially the 2 services are "unaware" of SST, they just know about the lambda function. Besides the "how to set this up". Would there be reasons not to do it like this? Why have SST in each service? Its quite a common practice to have the deploy mechanisms outside of each service. What am I missing here?

SOLVED - You can only do updates via a PK, you can’t do them with a GSIPK so I had to swap them 🎉 . Thanks to Garret for that. I’m doing something goofy with a DynamoDB request. Or I set up a SKI incorrectly (seems unlikely) I recently added a GSI to my table

customersTable.addGlobalIndexes({
      gsi1pk: {
        partitionKey: "gsi1pk",
        type: sst.TableFieldType.STRING,
      },
    });

I can see it in my Indexes so that appears to have worked. When I add params to put like so…

const params = {
      TableName: process.env.TABLE_NAME,
      Item: {
        pk: `SHOP#${shop}PHONE#${phoneNumber}`,
        sk: `SID#${messageSid}`,
        gsi1pk: `SID#${messageSid}`,
        messageStatus,
      },
    };

    await dynamoDb.put(params);

the item is inserted in the table and I can see it 🎉 However, when I try to update that value

const values = {
    TableName: process.env.TABLE_NAME,
    Key: {
      gsi1pk: `SID#${messageSid}`,
      sk: `SID#${messageSid}`,
    },
    UpdateExpression: "SET messageStatus = :messageStatus",
    ExpressionAttributeValues: {
      ":messageStatus": smsStatus,
    },
  };

  await dynamoDb.update(values);

It’s not obvious to me what’s wrong.

Hey all, hope everyone had a merry christmas, I had a couple questions around the auth construct • Does anyone know how to have a separate email sent for cognito verification and cognito password resets with sst auth? At the moment when i try to do a password reset I get sent the email defined under the property

userVerification

• And does anyone know how to get the emails sent from my own domain (i.e. hello@mydomain.com)? Which is also hosted in aws. I have tried a solution i found online which involved using SES but didn't work as my infra is hosted in ap-southeast-2. So open to any ideas on this one 🙂 Cheers