This repository defines a Crossplane configuration package that demonstrates provisioning and invoking AWS Lambda Functions.
The example platform supports the use case of querying SSM parameters via a Lambda function and using the output values for infrastructure provisioning. Application teams store their primary and backup regions into SSM, and when they provision infrastructure Crossplane will invoke a Lambda to extract the regions and use them to create a pair of VPCs.
The Infrastructure team deploys and manages the Lambda infrastructure using the following Compositions:
graph TD;
XParameter
XFunctionDeploy-->XBucket;
XFunctionDeploy-->XFunction;
XApplication
- XParameter: create SSM parameters
- XFunctionDeployment: creates a Lambda function using the following building blocks:
Application teams use the serverless infrastructure to query SSM for their cloud primary and backup regions.
- XApplication: creates two VPCs based on the regions stored in SSM
First you will need access to a Kubernetes cluster. Ensure you are using the correct context:
kubectl config current-contextNext, we'll use the up binary to install UXP, Upbound's distribution of
Crossplane. To get up, follow the installation instructions.
To install UXP using up run:
up uxp install
UXP 1.12.1-up.1 installedInstall the AWS Provider:
kubectl apply -f examples/provider-aws-scoped.yaml
provider.pkg.crossplane.io/upbound-release-candidates-provider-family-aws created
provider.pkg.crossplane.io/provider-aws-iam created
provider.pkg.crossplane.io/provider-aws-ec2 created
provider.pkg.crossplane.io/provider-aws-lambda created
provider.pkg.crossplane.io/provider-aws-ec2 configured
provider.pkg.crossplane.io/provider-aws-ssm createdYou can keep track of the provider install:
kubectl get -f examples/provider-aws-scoped.yaml All the providers should be INSTALLED and HEALTHY within a minute or two:
NAME INSTALLED HEALTHY PACKAGE AGE
upbound-release-candidates-provider-family-aws True True xpkg.upbound.io/upbound-release-candidates/provider-family-aws:v0.37.0 110s
provider-aws-iam True True xpkg.upbound.io/upbound-release-candidates/provider-aws-iam:v0.37.0 110s
provider-aws-ec2 True True xpkg.upbound.io/upbound-release-candidates/provider-aws-ec2:v0.37.0 110s
provider-aws-lambda True True xpkg.upbound.io/upbound-release-candidates/provider-aws-lambda:v0.37.0 110s
provider-aws-ec2 True True xpkg.upbound.io/upbound-release-candidates/provider-aws-ec2:v0.37.0 110s
provider-aws-ssm True True xpkg.upbound.io/upbound-release-candidates/provider-aws-ssm:v0.37.0 110sNext, install the CompositeResourceDefinitions and Compositions:
kubectl apply -f apis/XApplication -f apis/XBucket -f apis/XFunction -f apis/XFunctionDeployment -f apis/XParameterThe Custom Platform APIs are Kubernetes CompositeResourceDefinition objects or XRD
for short. We can list them using kubectl:
kubectl get xrdThe following XRDs should be ESTABLISHED and OFFERED:
NAME ESTABLISHED OFFERED AGE
xapplications.example.upbound.io True True 3m24s
xbuckets.example.upbound.io True True 3m23s
xfunctiondeployments.example.upbound.io True True 3m23s
xfunctions.example.upbound.io True True 3m23s
xparameters.example.upbound.io True True 3m23sNow that Crossplane, the Provider and all the Compositions are installed we
need to give the provider AWS credentials. This is done by creating a ProviderConfig.
There are many options we can use to authenticate to AWS, but to sim
kubectl create secret generic aws-creds -n upbound-system --from-file=creds=./creds.confWe will create the following ProviderConfig object to use the AWS credentials
from the previous step. See AUTHENTICATION for more authentication options like IRSA.
apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: Secret
secretRef:
namespace: upbound-system
name: aws-creds
key: credskubectl apply -f examples/providerconfig-creds.yamlWe're now ready to deploy the examples.
First, each team is going to store their primary and secondary regions in SSM.
To store an SSM parameter, a namespace-scoped Parameter Claim is applied to the cluster:
apiVersion: example.upbound.io/v1alpha1
kind: Parameter
metadata:
name: primary-region
namespace: team-1
spec:
parameters:
providerConfigName: default
region: us-east-1
insecureValue: us-east-1
parameterName: /team-1/primaryRegion
tags:
owner: team-1Using files in the examples directory:
kubectl apply -f examples/namespace-team1.yaml
kubectl apply -f examples/namespace-team2.yaml
kubectl apply -f examples/ssmparameters-team1.yaml
kubectl apply -f examples/ssmparameters-team2.yamlApplying the examples to the cluster would create Kubernetes objects similar to the following:
kubectl get ParameterNAMESPACE NAME SYNCED READY CONNECTION-SECRET AGE
team-1 backup-region True False 14s
team-1 primary-region True False 14s
team-2 backup-region True False 69s
team-2 primary-region True False 69sTo deploy the Lambda Function and other Resources, apply the following manifest:
kubectl apply -f examples/ssm-parameter-lambda-deployment.yamlFinally, we can deploy our Applications.
kubectl apply -f examples/application-team1.yaml
kubectl apply -f examples/application-team2.yaml Confirm the VPCs were created in the regions pulled from SSM.
kubectl get vpc -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.forProvider.region}{"\n"}'team-1-app-4fgxf-9ps5g us-west-1
team-1-app-4fgxf-s457t us-east-1
team-2-app-l8k9v-25nx6 eu-north-1
team-2-app-l8k9v-c6gkg eu-central-1To Clean up the installation, run the following commands:
kubectl delete -f examples/application-team1.yaml -f examples/application-team2.yaml
kubectl delete -f examples/ssmparameters-team1.yaml -f examples/ssmparameters-team2.yaml
kubectl delete -f examples/namespace-team1.yaml -f examples/namespace-team1.yaml
kubectl delete -f examples/ssm-parameter-lambda-deployment.yamlWait for all the cloud resources to be deleted:
kubectl get managedDelete the Compositions, Providers, and ProviderConfig after all the resources have been deleted.
kubectl delete -f apis/XApplication -f apis/XBucket -f apis/XFunction -f apis/XFunctionDeployment -f apis/XParameter
kubectl delete -f examples/providerconfig-creds.yaml
kubectl delete -f examples/provider-aws-scoped.yamlkubectl delete secret -n upbound-system aws-credsThis reference platform is a starting point to help you build your own Platform APIs.
The following sections will detail how to make, test, and publish modifications to these compositions.
Clone this repository:
git clone https://github.com/upbound/platform-ref-lambdaNext pull in the Upbound build as a git submodule:
cd platform-ref-aws
make submodules
Submodule 'build' (https://github.com/upbound/build) registered for path 'build'
Cloning into '/home/user/platform-ref-lambda/build'...
Submodule path 'build': checked out '292f958d2d97f26b450723998f82f7fc1767920c'Next run make. This will download the required components:
makeUptest is used for end to end testing of the
Compositions in this repository. It does this by provisioning example claims and
waiting for them to become READY.
To run uptest locally, first set the UPTEST_CLOUD_CREDENTIALS environment variable
with the contents of an AWS credentials file:
export UPTEST_CLOUD_CREDENTIALS=$(cat ~/.aws/credentials)With the credentials file of the following format:
[default]
aws_access_key_id=AKIA...
aws_secret_access_key=jQplCPbh...make e2eFor any questions, thoughts and comments don't hesitate to reach out or drop by slack.crossplane.io, and say hi!