## Creating the AWS Serverless Application Model (SAM) application

### [Verify pre-requisites for AWS SAM](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html#serverless-sam-cli-install-prerequisites)
SAM requires python 2.7 or 3.6 and pip to be installed to continue.

In [19]:
import boto3
import os
import sagemaker
from sagemaker import get_execution_role
import project_path # path to helper methods
from lib import workshop

role = get_execution_role()

s3 = boto3.resource('s3')
cfn = boto3.client('cloudformation')

# use the region-specific sample data bucket
region = boto3.Session().region_name
stack_name = 'serverless-hello'

## [Create S3 Bucket](https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html)

We will create an S3 bucket that will be used throughout the workshop for storing our data.

[s3.create_bucket](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.create_bucket) boto3 documentation

In [2]:
bucket = workshop.create_bucket_name('sam-')
s3.create_bucket(Bucket=bucket, CreateBucketConfiguration={'LocationConstraint': region})
print(bucket)

sam-f3e546e4-5315-419e-8a95-af352047d118


## Verify Python and pip versions

Both Python and pip will be installed when using SageMaker managed notebooks.

In [3]:
!python --version
!pip --version

Python 3.6.5 :: Anaconda custom (64-bit)
pip 10.0.1 from /home/ec2-user/anaconda3/envs/python3/lib/python3.6/site-packages/pip (python 3.6)


### [Installing AWS SAM](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html)

The primary distribution method for the AWS SAM CLI on Linux, Windows, and macOS is pip, a package manager for Python that provides an easy way to install, upgrade, and remove Python packages and their dependencies.

Pre-requistites:
* Docker
* [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/)
* (Pip only) Python 2.7 or Python 3.6

In [4]:
!pip install aws-sam-cli

[33mYou are using pip version 10.0.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.[0m


### Verify the latest version of SAM is installed 

In [6]:
%%bash
export PATH=$PATH:/home/ec2-user/.local/bin
sam --version
sam init -r python3.6 -n serverless-todo

SAM CLI, version 0.10.0
[+] Initializing project structure...
[SUCCESS] - Read serverless-todo/README.md for further instructions on how to proceed
[*] Project initialization is now complete


In [7]:
!cat serverless-todo/README.md

# serverless-todo

This is a sample template for serverless-todo - Below is a brief explanation of what we have generated for you:

```bash
.
├── README.md                   <-- This instructions file
├── hello_world                 <-- Source code for a lambda function
│   ├── __init__.py
│   ├── app.py                  <-- Lambda function code
│   └── requirements.txt        <-- Python dependencies
├── template.yaml               <-- SAM Template
└── tests                       <-- Unit tests
    └── unit
        ├── __init__.py
        └── test_handler.py
```

## Requirements

* AWS CLI already configured with at least PowerUser permission
* [Python 3 installed](https://www.python.org/downloads/)
* [Docker installed](https://www.docker.com/community-edition)
* [Python Virtual Environment](http://docs.python-guide.org/en/latest/dev/virtualenvs/)

## Setup process

### Building the project

[AWS Lambda requires a flat folder](https://docs.aws.amazon.com/la

## Load required dependencies locally to the application

In [8]:
!pip install -r serverless-todo/hello_world/requirements.txt -t serverless-todo/hello_world/

Collecting requests==2.20.0 (from -r serverless-todo/hello_world/requirements.txt (line 1))
[?25l  Downloading https://files.pythonhosted.org/packages/f1/ca/10332a30cb25b627192b4ea272c351bce3ca1091e541245cccbace6051d8/requests-2.20.0-py2.py3-none-any.whl (60kB)
[K    100% |████████████████████████████████| 61kB 4.1MB/s ta 0:00:011
[?25hCollecting idna<2.8,>=2.5 (from requests==2.20.0->-r serverless-todo/hello_world/requirements.txt (line 1))
  Using cached https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests==2.20.0->-r serverless-todo/hello_world/requirements.txt (line 1))
  Using cached https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl
Collecting chardet<3.1.0,>=3.0.2 (from requests==2.20.0->-r serverless-todo/hello_world/requirements.txt (line 1))
  Using ca

In [9]:
!pygmentize serverless-todo/hello_world/app.py

[34mimport[39;49;00m [04m[36mjson[39;49;00m

[34mimport[39;49;00m [04m[36mrequests[39;49;00m


[34mdef[39;49;00m [32mlambda_handler[39;49;00m(event, context):
    [33m"""Sample pure Lambda function[39;49;00m
[33m[39;49;00m
[33m    Parameters[39;49;00m
[33m    ----------[39;49;00m
[33m    event: dict, required[39;49;00m
[33m        API Gateway Lambda Proxy Input Format[39;49;00m
[33m[39;49;00m
[33m        {[39;49;00m
[33m            "resource": "Resource path",[39;49;00m
[33m            "path": "Path parameter",[39;49;00m
[33m            "httpMethod": "Incoming request's method name"[39;49;00m
[33m            "headers": {Incoming request headers}[39;49;00m
[33m            "queryStringParameters": {query string parameters }[39;49;00m
[33m            "pathParameters":  {path parameters}[39;49;00m
[33m            "stageVariables": {Applicable stage variables}[39;49;00m
[33m            "requestContext": {Request context, incl

### [Validate template](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-validate-template.html)

The `aws cloudformation validate-template` command is designed to check only the syntax of your template. It does not ensure that the property values that you have specified for a resource are valid for that resource. Nor does it determine the number of resources that will exist when the stack is created.

In [10]:
!aws cloudformation validate-template --template-body file://serverless-todo/template.yaml

{
    "Parameters": [],
    "Description": "serverless-todo\nSample SAM Template for serverless-todo\n"
}


### [Package deployment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-package.html)

For some resource properties that require an Amazon S3 location (a bucket name and filename), you can specify local references instead. For example, you might specify the S3 location of your AWS Lambda function's source code or an Amazon API Gateway REST API's OpenAPI (formerly Swagger) file. Instead of manually uploading the files to an S3 bucket and then adding the location to your template, you can specify local references, called local artifacts, in your template and then use the package command to quickly upload them. A local artifact is a path to a file or folder that the package command uploads to Amazon S3. For example, an artifact can be a local path to your AWS Lambda function's source code or an Amazon API Gateway REST API's OpenAPI file.

In [11]:
!aws cloudformation package \
    --template-file serverless-todo/template.yaml \
    --output-template-file serverless-todo/sam-template.yaml \
    --s3-bucket $bucket \
    --s3-prefix serverless

Uploading to serverless/57dca2a63cf906e01b0d0dfffccd86a5  262144 / 964965.0  (27.17%)Uploading to serverless/57dca2a63cf906e01b0d0dfffccd86a5  524288 / 964965.0  (54.33%)Uploading to serverless/57dca2a63cf906e01b0d0dfffccd86a5  786432 / 964965.0  (81.50%)Uploading to serverless/57dca2a63cf906e01b0d0dfffccd86a5  964965 / 964965.0  (100.00%)
Successfully packaged artifacts and wrote output template to file serverless-todo/sam-template.yaml.
Execute the following command to deploy the packaged template
aws cloudformation deploy --template-file /home/ec2-user/SageMaker/aws-research-workshops/notebooks/serverless_apps/serverless-todo/sam-template.yaml --stack-name <YOUR STACK NAME>


### [Deploy Application](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-deploy.html)

AWS CloudFormation requires you to use a change set to create a template that includes transforms. Instead of independently creating and then executing a change set, use the `aws cloudformation deploy` command. When you run this command, it creates a change set, executes the change set, and then terminates. This command reduces the numbers of required steps when you create or update a stack that includes transforms.

In [12]:
!aws cloudformation deploy \
    --template-file serverless-todo/sam-template.yaml \
    --stack-name serverless-hello \
    --capabilities CAPABILITY_IAM


Waiting for changeset to be created..
Waiting for stack create/update to complete
Successfully created/updated stack - serverless-hello


### [View Output](https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/using-cfn-describing-stacks.html)

The `aws cloudformation describe-stacks` command provides information on your running stacks. You can use an option to filter results on a stack name. This command returns information about the stack, including the name, stack identifier, and status.

In [13]:
!aws cloudformation describe-stacks --stack-name $stack_name --region $region

{
    "Stacks": [
        {
            "StackId": "arn:aws:cloudformation:us-west-2:649037252677:stack/serverless-hello/48666040-182b-11e9-805a-503ac931688d",
            "StackName": "serverless-hello",
            "ChangeSetId": "arn:aws:cloudformation:us-west-2:649037252677:changeSet/awscli-cloudformation-package-deploy-1547490978/43336ee3-78b2-4f43-a9bb-b33e187470c9",
            "Description": "serverless-todo\nSample SAM Template for serverless-todo\n",
            "CreationTime": "2019-01-14T18:36:18.907Z",
            "LastUpdatedTime": "2019-01-14T18:36:24.174Z",
            "RollbackConfiguration": {},
            "StackStatus": "CREATE_COMPLETE",
            "DisableRollback": false,
            "NotificationARNs": [],
            "Capabilities": [
                "CAPABILITY_IAM"
            ],
            "Outputs": [
                {
                    "OutputKey": "HelloWorldFunctionIamRole",
                    "OutputValue": "arn:aws:iam::64903725

### Get the API Endpoint created from the SAM deployment

In [29]:
stacks = cfn.describe_stacks(StackName=stack_name)
stack = stacks["Stacks"][0]

for output in stack["Outputs"]:
    if output["OutputKey"] == 'HelloWorldApi':
        api_endpoint = output["OutputValue"]
#     print('%s=%s (%s)' % (output["OutputKey"], output["OutputValue"], output["Description"]))
    
print(api_endpoint)

HelloWorldFunctionIamRole=arn:aws:iam::649037252677:role/serverless-hello-HelloWorldFunctionRole-1BA4UORDC2FRS (Implicit IAM Role created for Hello World function)
HelloWorldApi=https://qap5gnmqzh.execute-api.us-west-2.amazonaws.com/Prod/hello/ (API Gateway endpoint URL for Prod stage for Hello World function)
HelloWorldFunction=arn:aws:lambda:us-west-2:649037252677:function:serverless-hello-HelloWorldFunction-2X3ZTLTGWQGL (Hello World Lambda Function ARN)
https://qap5gnmqzh.execute-api.us-west-2.amazonaws.com/Prod/hello/


### Call REST API

After we create and deploy the project we will install [httpie](https://httpie.org/) which is a framework that consists of a single `http` command designed for interaction with HTTP servers, RESTful APIs, and web services. Replace the variable `{{api-gw-address}}` with the `HelloWorldApi` in `Outputs` above.

In [30]:
!pip install httpie

[33mYou are using pip version 10.0.1, however version 18.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.[0m


In [32]:
print('calling {0}'.format(api_endpoint))
!http $api_endpoint

calling https://qap5gnmqzh.execute-api.us-west-2.amazonaws.com/Prod/hello/
[34mHTTP[39;49;00m/[34m1.1[39;49;00m [34m200[39;49;00m [36mOK[39;49;00m
[36mConnection[39;49;00m: keep-alive
[36mContent-Length[39;49;00m: 55
[36mContent-Type[39;49;00m: application/json
[36mDate[39;49;00m: Mon, 14 Jan 2019 18:57:01 GMT
[36mVia[39;49;00m: 1.1 9ef715d1b9b8a67b762e820aa1b51ded.cloudfront.net (CloudFront)
[36mX-Amz-Cf-Id[39;49;00m: w3RdoWw-2GZZsjixLxy7wy1AEDABokr9pdPm-K7umF2Z4QAVWpCFcQ==
[36mX-Amzn-Trace-Id[39;49;00m: Root=1-5c3cdb7d-c4cbf44e92eb180409c79038;Sampled=0
[36mX-Cache[39;49;00m: Miss from cloudfront
[36mx-amz-apigw-id[39;49;00m: Tgc7oGEePHcFZLw=
[36mx-amzn-RequestId[39;49;00m: 2d26a449-182e-11e9-b7d0-99d8721f1252

{
    [34;01m"location"[39;49;00m: [33m"34.216.154.35"[39;49;00m,
    [34;01m"message"[39;49;00m: [33m"hello world"[39;49;00m
}



### Create a TODO application from the Hello World example



### Create a todo

In [None]:
echo '{ "text": "My First Todo" }' | http POST https://{api-url}/dev/todos
http https://{api-url}/dev/todos

### List the todos available

In [None]:
!http POST https://{api-url}/dev/todos

Now you can see how easy it is to create a microservice using Lambda but what if we wanted to only allow authenticated users to have the ability to create todos? We can create a Cognito user pool and use it as an authorizer to the API. The deployment should have already created the Cognito user pool, so we will use that and hook it up to the create method of the service. 

Change the serverless.yml file to add the authorizer like below.

```
    authorizer:
        type: COGNITO_USER_POOLS
        authorizerId:
            Ref: TodoApiGatewayAuthorizer
```

Let's redeploy the service and try and add a todo

In [None]:
!sls deploy -v

In [None]:
!echo '{ "text": "My First Todo" }' | http POST https://{api-url}/dev/todos

This should have returned an HTTP/1.1 401 Unauthorized because you did not send the appropriate Authorization header on the call. We will simulate a user logging into the application and passing the bearer token in the headers of the request. Running the 3 methods below will simulate creating a user, confirming the user, and generating the appropriate auth for the user to be able to create the todo. Grab the IdToken generated and add it to the headers like the command below.

### Create user in Cognito

In [None]:
!aws cognito-idp sign-up --region {your-aws-region} --client-id {cognito-client-id} --username admin@example.com --password {password}

### Confirm the sign up of the user

In [None]:
!aws cognito-idp admin-confirm-sign-up --region {your-aws-region} --user-pool-id {cognito-user-pool} --username admin@example.com

### Initiate the authentication to generate the token

In [None]:
!aws cognito-idp admin-initiate-auth --region {your-aws-region} --cli-input-json file://auth.json

In [None]:
!echo '{ "text": "My Authenticated Todo" }' | http POST https://{api-url}/dev/todos Authorization:"Bearer {your-idtoken}"

Now you should have created a new todo after the authorizer approves the token.

### Register a user

> aws cognito-idp sign-up --region {your-aws-region} --client-id {your-client-id} --username admin@example.com --password {password}

### Confirm user registration

> aws cognito-idp admin-confirm-sign-up --region {your-aws-region} --user-pool-id {your-user-pool-id} --username admin@example.com

### Authenticate (get tokens)

> aws cognito-idp admin-initiate-auth --region {your-aws-region} --cli-input-json file://auth.json

### Where auth.json is:

>{
    "UserPoolId": "{your-user-pool-id}",
    "ClientId": "{your-client-id}",
    "AuthFlow": "ADMIN_NO_SRP_AUTH",
    "AuthParameters": {
        "USERNAME": "admin@example.com",
        "PASSWORD": "{password}"
    }
}

### You should get a response like this if everything is set up correctly:

>{
    "AuthenticationResult": {
        "ExpiresIn": 3600,
        "IdToken": "{your-idtoken}",
        "RefreshToken": "{your-refresh-token}",
        "TokenType": "Bearer",
        "AccessToken": "{your-access-token}"
    },
    "ChallengeParameters": {}
}

## Cleanup

In [None]:
!aws cloudformation delete-stack --stack-name $stack_name

In [None]:
workshop.delete_bucket_completely(bucket)