Setup Lambda Deployment

[00:00:00]
>> So that would allow us technically to solve for some of the issues along the way. Now, one of things I should point out, because it will kinda come up in a second, is a whole second set of functionality within Cloud Front for programming. And that one is, you can see right here, functions.

[00:00:20]
So lambda functions and CloudFront functions are different, you're like, great. We'll talk about CloudFront functions in a second. They are basically can do a whole lot less for a whole lot cheaper and a whole lot faster, right? So we'll talk about those briefly, we're gonna mostly focus just on the lambda edge ones, because they're a little bit more flexible and most CloudFront functions are just a subset of that.

[00:00:53]
All right, great, fantastic. So we can go set those up the same way we set up basically anything else, which is for any other lambda, which is to go to lambda. Now, it's kinda wild like they've radically changed the UI here, and it's still a little tricky, right?

[00:01:16]
So we can go ahead and we can create a new function. Now you see that this is also called functions here, but now we're in lambda instead of CloudFront, I don't make the rules. So we can go to say Create function, and we get a function name. We're gonna call this one fixed security headers, hypothetically, that might be a thing that we wanna do.

[00:01:46]
We can pick a runtime, Yeah, seems you thought code yumo was precarious, you don't want to see me do ruby. I used to write ruby, I don't think I can anymore. Cool, so we've got that all in place. Awesome. If you needed to talk to something else you need to give it network access we don't.

[00:02:14]
We're simply gonna rewrite a bunch of headers. And you can see it's thinking down there. I made this like booboo which I am in us-east-2, so my guess, this is probably good, I'm glad I did it, is if I go to add trigger, I'm not gonna see CloudFront in here.

[00:02:40]
Which is good because if I didn't make that mistake and you did, then you would see, I don't see CloudFront, something must be terrible. The other thing I probably will not see is over an actions, I will not see the ability to play to lambda at edge. That is because I am in us-east-2, instead of us-east-1.

[00:03:01]
Like I said before when in doubt we wanna make sure we're in us-east-1 for a lot of the CloudFront stuff. So we'll go over back to lambda which I should be in there it just takes a while, so we'll create a function again. Great. So give that a second to spin up.

[00:03:36]
And now if I go to Add trigger, I go to Select a trigger, I should see CloudFront shows up. So that's an important note, if you don't see it it's not because I took away support, it's just you're in Ohio instead of Virginia. Or you're on the west coast or you're in Europe or Asia or wherever.

[00:03:56]
So we have all those in place, so now I wanna select perhaps a trigger, will say CloudFront and I wanna deploy a new version function global to AWS locations. Now, basically, there are some limitations, none of them are meaningful to us versus regular but they just want to make sure that you know, this is gonna go distributed, it's not exactly the same as one function one place.

[00:04:23]
Cool. So we've got all of this, we don't actually have a function to deploy just yet. But this is where you have to make sure that you set one of these, Also we all had one cache behavior in our case and this should be our CloudFront distribution, and then you would acknowledge.

[00:04:44]
But let's go actually write a function this case. Now this one the one that we get by default will be basically saying listen, the event that comes in respond to it with a 200 saying hello from lambda, right? Don't even check us 3, forget everything, I know what to do, I'm a web server, everything is great, just say hello no matter what.

[00:05:13]
And honestly, you know what? Let's deploy it, right? We go ahead, you can test it out by giving a test event, any kind of just JSON object, there's a bunch of templates to have. You can have a CloudFront access request, I don't think these are super helpful. But you got the event, you got a response.

[00:05:42]
We can go ahead, we can save, I just hit Command + S, I think you can do file save too. And then we can hit Deploy. Now that is deployed to lambda, it is not deployed to CloudFront, I know. Here we go to actions, and once it is deployed into lambda, we can then send it out to the CloudFront nodes.

[00:06:08]
Lambda@Edge, we're gonna say that this is a, we're doing viewer request so it doesn't get cache invalidation. So before you check lambda, just respond with this hello, or before you check CloudFront just respond with this hello in this case. And we acknowledged I'm defining new versus function and we published it, this is like the, you could break things, right?

[00:06:32]
And we know what we're doing at this point. This is a fun little edge case. Your function execution role must be assumable by edge lambda AWS service principle. So what we need to do is actually go ahead and edit the policy document in this case. Because the default one that it makes is only for lambda, Amazon AWS.com it didn't automatically do this piece for you.

[00:07:05]
The issue as I mentioned before, is we got yelled at like, hey, you don't necessarily have the role for doing that. Because I made one the wrong region I actually have two roles and I'm not entirely sure which one it is, so I'll just do it twice. Which is we got these trust relationships.

[00:07:26]
And we'll go ahead and edit it. And it's basically what it said before, which is, hey, you said we didn't have permission for edge lambda.amazonaws.com. And it made this, you notice that I didn't make this file so I don't know why I'm getting yelled at. But we can go ahead and just say, okay, cool, making an array.

[00:07:54]
And we'll set the trust relationship is both lambda.aws.com, amazonaws.com and edge lambda. I will copy this as I have to do it twice since I made a booboo.
>> Could you show again where you got to that?
>> Yes, I will literally. So in IAM, we go to Roles and then I have these two, then we click on the role under Trust relationships, we hit Edit trust relationship.

[00:08:31]
>> So if we don't have those roles?
>> Yeah, the first time you wanted to play should make them on your behalf. So if we hit Deploy once it should go ahead, set most of everything up for you, but not enough to be helpful, right? As well. You notice that we could hit Deploy and then it went up there to the new version, it was only that kinda special drop down for deploy to lambda at edge that we got the issue before.

[00:09:06]
So we can make that a viewer request because it's kind of our dummy version Let's see, does it take a second, I might have to, you know what it is? Watch what happens if I refresh the page And I click it again. Even if you fix it, you don't refresh the page, they cached it somehow [LAUGH] and it doesn't work.

[00:09:41]
But if you refresh the page, it's the old like, did you turn it off and turn it back on again? Cuz then it totally works. All right, cool, so if I've done everything right, I should have broken my page, right? We should get that hello from lambda, Let's go to the core one, it might not have fully deployed yet.

[00:10:07]
Like the one time I want my page to have broken, it's like no, no, here's the yellow version of your page. So it could still be deploying for a moment. While we buy ourselves some time as it goes to all the edge nodes, let's talk about how to get rid of that in case you make a booboo, right?

[00:10:20]
Cuz that was an intentional booboo that we're gonna have to get rid of, so we'll go ahead and check it out. Go back into CloudFront, I was still deploying as you could see. Remember, before we kind of skipped there was all of the different functions that we had along the way.

[00:10:46]
We can go ahead and we can find that in there as well, trying to do memory thinking sort of behaviors Yep. So you can see on viewer requests, we have a lambda edge function that has been registered, that is the one that we created in us-east-1. That's just, yeah.

[00:11:10]
Fix security header, you can replace that with another one or version one is that one that we hit Deploy once, you can roll it back to a previous version, so on and so forth. If you needed to stop, you can hit No association and go for it, right?

[00:11:31]
Did it break my site yet? Okay, we got at least got an arrow, which means our function is totally working, it just failed validation, which is super interesting for the one that they gave us. But let's go ahead and actually put in a helpful one.