mirror of https://github.com/swift-server/swift-openapi-lambda.git synced 2026-05-03 07:22:26 +00:00

Files

T

Sébastien Stormacq 10f3e99c4d Apply recommendation for security and reliability (#24 )

Apply recommendations in code and documentation

- [CI] restrict permissions to `read-all` instead of the default
`write-all`
- Example `openapi.yaml` : add a note about using `security:` definition
when deploying to production
- Example `README.md` : add a note about Lambda functions configuration
with improved security and scalability changes for production
environment

2025-09-27 12:05:20 +02:00

events

Update to support AWS Lambda Runtime for Swift v2 (#22 )

2025-09-06 11:34:56 +02:00

Sources

Apply recommendation for security and reliability (#24 )

2025-09-27 12:05:20 +02:00

.gitignore

Update to support AWS Lambda Runtime for Swift v2 (#22 )

2025-09-06 11:34:56 +02:00

Dockerfile

Update to support AWS Lambda Runtime for Swift v2 (#22 )

2025-09-06 11:34:56 +02:00

Makefile

Apply recommendation for security and reliability (#24 )

2025-09-27 12:05:20 +02:00

Package.swift

Update to support AWS Lambda Runtime for Swift v2 (#22 )

2025-09-06 11:34:56 +02:00

README.md

Apply recommendation for security and reliability (#24 )

2025-09-27 12:05:20 +02:00

template.yml

Apply recommendation for security and reliability (#24 )

2025-09-27 12:05:20 +02:00

README.md

QuoteAPI

This application illustrates how to deploy a Server-Side Swift workload on AWS using the AWS Serverless Application Model (SAM) toolkit. The workload is a simple REST API that returns a string from an Amazon API Gateway. Requests to the API Gateway endpoint are handled by an AWS Lambda Function written in Swift.

Prerequisites

To build this sample application, you need:

AWS Account
AWS Command Line Interface (AWS CLI) - install the CLI and configure it with credentials to your AWS account
AWS SAM CLI - a command-line tool used to create serverless workloads on AWS
Docker Desktop - to compile your Swift code for Linux deployment to AWS Lambda

Build the application

The sam build command uses Docker to compile your Swift Lambda function and package it for deployment to AWS.

sam build

On macOS, you might need to run this command if sam doesn't see docker:

export DOCKER_HOST=unix://$HOME/.docker/run/docker.sock

Deploy the application

The sam deploy command creates the Lambda function and API Gateway in your AWS account.

sam deploy --guided

The project creates an API endpoint protected by a bearer token authorization. Use token value '123' while testing. Youc an change the token validation logic in the LambdaAuthorizer function. To learn more about Lambda authorizer function, refer to the API Gateway documentation.

Use the API

At the end of the deployment, SAM displays the endpoint of your API Gateway:

Outputs
----------------------------------------------------------------------------------------
Key                 SwiftAPIEndpoint
Description         API Gateway endpoint URL for your application
Value               https://[your-api-id].execute-api.[your-aws-region].amazonaws.com
----------------------------------------------------------------------------------------

Use cURL or a tool such as Postman to interact with your API. Replace [your-api-endpoint] with the SwiftAPIEndpoint value from the deployment output.

Invoke the API Endpoint

curl -H 'Authorization: Bearer 123' https://[your-api-endpoint]/stocks/AMZN

Test the API Locally

SAM also allows you to execute your Lambda functions locally on your development computer. Follow these instructions to execute the Lambda function locally. Further capabilities can be explored in the SAM Documentation.

Event Files

When a Lambda function is invoked, API Gateway sends an event to the function with all the data packaged with the API call. When running the functions locally, you pass in a json file to the function that simulates the event data. The events folder contains a json file for the function.

Invoke the Lambda Function Locally

sam local invoke QuoteService --event events/GetQuote.json

On macOS, you might need to run this command if sam doesn't see docker:

export DOCKER_HOST=unix://$HOME/.docker/run/docker.sock

Cleanup

When finished with your application, use SAM to delete it from your AWS account. Answer Yes (y) to all prompts. This will delete all of the application resources created in your AWS account.

sam delete

⚠️ Security and Reliability Notice

This is an example application for demonstration purposes. When deploying such infrastructure in production environments, we strongly encourage you to follow these best practices for improved security and resiliency:

Enable access logging on API Gateway (documentation)
Ensure that AWS Lambda function is configured for function-level concurrent execution limit (concurrency documentation, configuration guide)
Check encryption settings for Lambda environment variables (documentation)
Ensure that AWS Lambda function is configured for a Dead Letter Queue (DLQ) (documentation)
Ensure that AWS Lambda function is configured inside a VPC when it needs to access private resources (documentation, code example)

Note: The openapi.yaml file in this example is not suited for production. In real-world scenarios, you must:

Ensure that the global security field has rules defined
Ensure that security operations is not empty (OpenAPI Security Specification)
Follow proper authentication, authorization, input validation, and error handling practices

As per Checkov CKV_OPENAPI_4 and CKV_OPENAPI_5 security checks.