Using serverless technologies brings a number challenges for large, enterprise scale systems. This talk covers the problems faced and offers insights and recommendations to help others wanting to use serverless for non-trivial use cases.
Isolated infrastructure stack (Terraform state) • Consistent naming of resources • Dedicated build/deployment pipeline • 0 .. N Lambda functions • Explicitly defined security policies and dependencies • Optionally exposes an API • Optionally exposes domain events • Optionally subscribes to event sources 9 Serverless Components A B C API API @RafalGancarz
used for model validation and contract testing • API versioning (for non backward- compatible changes) • Developer portal for API discovery and documentation 13 APIs
credentials and STS used for operations/tooling access • Credential/key rotation • Encryption in transfer • Encryption in storage (for sensitive data) 20 Security principles @RafalGancarz
problems to solve (sometimes not the problems you’d like to be solving) • Serverless evolves rapidly - new tools/solutions are emerging, new features becoming available, new ideas&patterns are being shared • Strong dependency on the cloud provider (SDKs, tools, support, limits) • Plan/adapt your capacity (DynamoDB, Kinesis) • Serverless frameworks are great for some use cases but quite opinionated and limiting for others (particularly around stack provisioning/management) • Tooling is sparse, a lot of ‘build your own’ Lessons learned 26 @RafalGancarz