How to use the aws_apigatewayv2_api to add an HTTP API to a Lambda function

Learn how to use AWS HTTP APIs to easily expose a Lambda-backed API

12 mins

API Gateway HTTP APIs

The AWS API Gateway HTTP APIs, a simplified version of the REST APIs, recently went GA and offer a lot of improvements over the current Lambda integration solution. With Terraform support for the new resource type, it’s time to see how it works and how simple it got to add an API to a Lambda function.

The new API requires only 2 resources, the API itself and a permission to invoke the function:

# Lambda function
resource "aws_lambda_function" "lambda" {
	# ...
}

# HTTP API
resource "aws_apigatewayv2_api" "api" {
	name          = "api-${random_id.id.hex}"
	protocol_type = "HTTP"
	target        = aws_lambda_function.lambda.arn
}

# Permission
resource "aws_lambda_permission" "apigw" {
	action        = "lambda:InvokeFunction"
	function_name = aws_lambda_function.lambda.arn
	principal     = "apigateway.amazonaws.com"

	source_arn = "${aws_apigatewayv2_api.api.execution_arn}/*/*"
}

As a comparison, the same with a REST API needs a lot more resources:

aws_api_gateway_rest_api
aws_api_gateway_resource
aws_api_gateway_method
aws_api_gateway_integration
aws_api_gateway_deployment
aws_lambda_permission

With HTTP APIs all that boilerplate is hidden behind a quick-start config that takes care of setting up the trivial stuff. If you want to use something more advanced, such as JSON models or an authorizer, you can configure those too.

I’ve always felt that I just need one simple feature and I can do anything else in code. That simple thing is to give me a URL that calls the function. With REST APIs that core functionality requires too much boilerplate. Now with HTTP APIs that got a lot easier.

But this simplification comes with changes that affect how to properly use the new type of APIs and how to integrate with other services.

Shameless plug

AWS S3 signed URLs handbook -
How to handle files in a serverless environment

Learn the ins and outs of file downloads and uploads in a serverless environment

Get the book

Name attribute

There are only two moving parts required for an HTTP API: the ARN of the Lambda function and a unique name for the API.

The AWS Terraform provider is inconsistent when resource names are required and when they are optional. For example, an S3 bucket will be named something unique and random if the argument is missing. Others, such as the aws_apigatewayv2_api, require a name.

I prefer when a resource does not require a parameter like this. The problem with names is that they must be unique and the deployment fails when there is a collision. An auto-generated name handles this by default, but when it must be provided it’s tempting to hardcode something in the config. But with a fixed name, the same stack can not be deployed to the same region and possibly to the same account more than once at a time. AWS throws a ResourceConflictException when there is a collision.

Fortunately, the random_id resource can help by generating a unique string for each deployment. This reproduces how an optional resource name works.

resource "random_id" "id" {
	byte_length = 8
}

resource "aws_apigatewayv2_api" "api" {
	name = "api-${random_id.id.hex}"
	# ...
}

Troubleshooting

My first experience with the simplified HTTP API was how hard it is to know what went wrong. On the first try, I got an “Internal server error”, and no other clue. Logging in to the Console, I saw the request did not reach the Lambda as no log entries were in the function’s log. And after activating the request logging all I saw was 500 errors without explanation.

What helped eventually was the usual trick to debug IaC: creating a new API manually using the Console and comparing the two to find what difference might result in the errors I’m seeing. Eventually I figured there was an error with the Lambda permission and the API started working after I fixed that.

Apart from the catch-all “Internal server error”, I encountered “Not Found” errors also. These happen when there is a problem with the routes and the API does not match the request URL.

A longer-term problem is that it’s near impossible to google its name as it’s too generic. This makes it especially hard to find solutions for known problems.

And not just because of the naming, but the official documentation meshes the API Gateway HTTP API with the REST API which makes it hard to find examples specifically for the former.

Shameless plug

[Free] AWS S3 signed URLs email course

Learn how to implement a secure, robust, and serverless-friendly file distribution solution from this 8-part email course.

Get the course

Lambda payload format version 2.0

With the new API comes a new Lambda payload format. This defines the event argument of the function and the required elements in the output. Fortunately, the old format is still supported, so an existing function can still be used with the new API without rewriting it. But new functions should use the new one.

The changes in the output format are the easier to cover as it only got easier. If you want to return a JSON, you no longer need to specify the statusCode and the Content-Type boilerplates as those will be automatically set to 200 and application/json, respectively.

module.exports.handler = async (event, context) => {
	return {
		some: "result",
	};
};

Of course, you can overwrite them if you need, making this change backwards-compatible.

The input format, on the other hand, is changed in non-backwards compatible ways. The documentation offers an example where it’s easy to compare the two formats.

Most of it is moving parameters around, such as the event.path which is now at event.requestContext.http.path and the event.httpMethod is moved to event.requestContext.http.method.

Another useful change is the first-class handling of cookies. The event.cookies contains the cookies sent with the request and the cookies property in the response is automatically converted into set-cookie headers.

A less used but no less impactful change is how duplicate headers and query parameters are sent to the Lambda function. These are no longer parsed for you but simply concatenated with commas. A possible problem is that these are not escaped in any ways, so a query with ?a=b,,&a=,c will be sent as:

"queryStringParameters": {
	"a": "b,,,,c"
}

If that can be a problem, the rawQueryString contains the unprocessed query from where you can extract the values correctly.

Shameless plug

[Free] The first 5 steps for a secure AWS account Ebook

Practical advice on how to make an AWS account more secure.

More info and download

$default stage and route

With the new $default stage the domain name is finally enough to call an API and there is no need to pass the stage name around too.

Before the $default stage, the URL consisted of the domain and a stage (https://<api_id>.execute-api.<region>.amazonaws.com/<stage>/) and the root path does not reach the API. Now with $default specified as the stage name, the request to https://<api_id>.execute-api.<region>.amazonaws.com/ is handled by that stage.

As this simplifies the URL it makes the integration easier with other services. For example, the origin_path argument is not needed when using CloudFront.

Apart from the $default stage, there is also a $default route that simplifies catch-all path patterns. This is similar to the {proxy+} construct but it handles the root pattern also. With a REST API, if you wanted to handle both <url>/stage/ and <url>/stage/path you’d need to use an additional resource under the root and two methods and two integrations:

# handle /*
resource "aws_api_gateway_resource" "proxy" {
	parent_id   = "${aws_api_gateway_rest_api.rest_api.root_resource_id}"
	path_part   = "{proxy+}"
	# ...
}

resource "aws_api_gateway_method" "proxy" {
	resource_id   = "${aws_api_gateway_resource.proxy.id}"
	# ...
}

resource "aws_api_gateway_integration" "lambda" {
	http_method = "${aws_api_gateway_method.proxy.http_method}"
	# ...
}

# handle /
resource "aws_api_gateway_method" "proxy_root" {
	resource_id   = "${aws_api_gateway_rest_api.rest_api.root_resource_id}"
	# ...
}

resource "aws_api_gateway_integration" "lambda_root" {
	http_method = "${aws_api_gateway_method.proxy_root.http_method}"
	# ...
}

That’s a lot of boilerplate copy-pasted whenever a new API is needed. With the $default route, all this is gone.

Price

Compared to the REST APIs, HTTP APIs are cheaper and quite significantly so. The starting price is $1 per million requests, while the same is $3.5 for REST APIs. It’s a significant reduction but of course, the actual impact is dependent on the ratio of this cost item to the overall infrastructure.

But let’s see how it compares to the Lambda function that it exposes as an API!

With 128 MB of memory allocated, the function costs $0.2 for every 100 ms it runs per million requests. Apart from that, there is an additional $0.2 / million request cost.

With the HTTP API, $1 / million cost is equal to a function that runs between 300-400 ms. For a REST API, the same function can run for ~1.6 seconds to reach the API’s $3.5 / million price tag.

To put it this way: you get a free ~1.2 seconds of runtime for your function (with 128 MB RAM) if you use the new HTTP API.

Speed

With simplified configuration, HTTP APIs also offer less overhead to the request latency, as described in the release announcement.

Faster is always better, but the latency experienced by end-users is affected by a ton of other things too. The Internet is not famous for its low jitter, DNS resolution takes an unknown number of hops, TCP and TLS require roundtrips but their exact number is determined by the protocol used, and also Lambda can spin up a new instance any time which incurs a slow cold start. But the part API Gateway adds to the mix is a bit smaller now.

On a more practical side, HTTP APIs do not support caching and edge optimization. I believe it’s not a great loss as you can always add CloudFront manually, which is what “edge optimized” meant anyway, and configure it to provide both. This also gives a bit more control over how things work.

How to use with CloudFront

Since HTTP APIs bring support to the $default stage and a route key that offers fine control over the paths of the API, it changes how it can be integrated with CloudFront compared to REST APIs.

And because of the way the path_pattern is handled in CloudFront, we need to consider how an HTTP API works with the default cache behavior as well as with a non-default one.

Default cache behavior

With the $default stage it’s enough to define the domain name and there is no need to define the origin_path argument.

resource "aws_apigatewayv2_api" "api" {
	name          = "api-${random_id.id.hex}"
	protocol_type = "HTTP"
	target        = aws_lambda_function.lambda.arn
}

# ... lambda, permission

resource "aws_cloudfront_distribution" "distribution" {
	origin {
		domain_name = replace(aws_apigatewayv2_api.api.api_endpoint, "/^https?://([^/]*).*/", "$1")
		origin_id   = "apigw_root"
		# no origin_path is needed for the $default stage

		custom_origin_config {
			http_port              = 80
			https_port             = 443
			origin_protocol_policy = "https-only"
			origin_ssl_protocols   = ["TLSv1.2"]
		}
	}
	default_cache_behavior {
		target_origin_id = "apigw_root"
		# ..
	}
	# ...
}

A request to the path https://<url>/testroute has the path properly filled:

{
	"requestContext": {
		"http": {
			"method": "GET",
			"path": "/testroute",
		},
	}
}

Ordered cache behavior

The path_pattern is required for a non-default behavior, as this parameter configures the routing between the origins. But this is only used to determine which behavior to match but the full path is sent to the origin. This messes up the request path the Lambda function sees, as it will get the requests other than the /.

userCloudFrontdefault => origin_1/api/* => origin_2origin_1origin_2/login/api/login/login/api/loginThe full path is sent to the origin

For example, if the path_pattern is /api/* then the function will get /api/login as well as /api/, but never the / or /login. And if the function expects the requests relative to the root, it won’t work.

A trivial solution is to add the path pattern to every path checking in the function’s code. This works, but it limits the portability of the code.

A more robust solution is to use Lambda@Edge to cut the routing part of the origin request. This works for all types of origins but it incurs additional costs and complexity.

But with HTTP APIs it’s possible to use the route_key to match only paths under the path_pattern. For example, to send only the request under the /test/ path to the function, use the ANY /test/{proxy+} route key:

resource "aws_apigatewayv2_api" "api-path" {
	name          = "api-path-${random_id.id.hex}"
	protocol_type = "HTTP"
	target        = aws_lambda_function.lambda.arn
	# the route_key includes the path_pattern
	route_key = "ANY /test/{proxy+}"
}

resource "aws_cloudfront_distribution" "distribution" {
	origin {
		domain_name = replace(aws_apigatewayv2_api.api-path.api_endpoint, "/^https?://([^/]*).*/", "$1")
		origin_id   = "apigw_path"

		custom_origin_config {
			http_port              = 80
			https_port             = 443
			origin_protocol_policy = "https-only"
			origin_ssl_protocols   = ["TLSv1.2"]
		}
	}
	ordered_cache_behavior {
		path_pattern = "/test/*"
		target_origin_id = "apigw_path"
		# ...
	}
	# ...
}

With the above config, the event object contains the matched part in the pathParameters.proxy property. A request to https://<url>/test/testroute yields this object:

{
	"requestContext": {
		"http": {
			"method": "GET",
			"path": "/test/testroute",
		},
	},
	"pathParameters": {
		"proxy": "testroute"
	},
}

Request path in the Lambda function

To support both cases on the Lambda function’s side we need some special care when checking the request path.

The path is either in the requestContext.http.path or in the pathParameters.proxy. To handle both cases, the function has to check the latter first and fall back to the former:

const realPath = event.pathParameters && event.pathParameters.proxy !== undefined
	? `/${event.pathParameters.proxy}`
	: event.requestContext.http.path;

With this code, it does not matter if the function is reached via a default or a non-default behavior, the realPath will be relative to the correct path.

For example, when mapped to the default_cache_behavior and a request comes to https://<url>/example then realPath will be /example. If the same function is mapped in an ordered_cache_behavior with a path_pattern of /test/*, a request to https://<url>/test/example, the realPath will be set correctly to /example.

Conclusion

Overall, I’m happy with the new API type. It makes the common use case easier, faster, and cheaper, which is always a good thing. Now I don’t need to copy-paste a screenful of Terraform code to make a Lambda function available via HTTP.

HTTP APIs also have a lot of configuration options but those are optional. You can still configure them to fit a lot of use-cases if you need to, but the common case is now reduced to just a few lines of code.

02 June 2020