Modify Cloud Infrastructure
Learn how to modify cloud infrastructure resources deployed by Webiny.
- how to modify cloud infrastructure resources deployed by Webiny
Overview
Users use the webiny deploy command to deploy their Webiny project, into an environment of their choice. During the deployment, apart from building the actual project applications, the command also ensures that a set of required cloud infrastructure resources is deployed.And although the cloud infrastructure resources that Webiny deploys are already configured in the best possible manner, there are still cases where some modifications might be needed. In some cases even, the deployed cloud infrastructure needs to be expanded by introducing additional resources into the mix.
To do this, we rely on four webiny.application.ts configuration files, located in each of the four project application folders in every Webiny project:
- Core (
apps/core/webiny.application.ts
) - API (
apps/api/webiny.application.ts) - Admin (
apps/admin/webiny.application.ts) - Website (
apps/website/webiny.application.ts)
Which webiny.application.ts config file needs to be changed depends on the nature of the change that needs to be made.
For example, let’s imagine we want to adjust the configuration of the Amazon S3 bucket that’s deployed for storing files uploaded via Webiny File Manager. Since this bucket is deployed as part of the Core project application, naturally, we’d want to apply changes via the apps/core/webiny.application.ts configuration file.
The following example demonstrates how the bucket can be adjusted to enable object versioning , which essentially enables keeping multiple variants of an object in the same bucket:
import * as aws from "@pulumi/aws";
import { createCoreApp } from "@webiny/serverless-cms-aws";
export default createCoreApp({
// By passing a callback function via the `pulumi` parameter, we gain the
// ability to modify project application's cloud infrastructure resources.
pulumi: ({ resources }) => {
// Cloud infrastructure resources can be referenced via the `resources`
// object. We then use resources' `config` objects to apply modifications.
const { fileManagerBucket } = resources;
fileManagerBucket.config.versioning({ enabled: true });
}
});As we can see, using the pulumi parameter, we’ve passed a relatively simple callback function that enables object versioning in two steps:
- references the relevant bucket via the
fileManagerBucketconst - uses the reference to enable bucket versioning, via the
fileManagerBucket.config.versioning
Once the above code change has been made, all that is left to do is a redeploy by running the following command:
# Make sure to replace {env} with the actual name of the environment.
yarn webiny deploy apps/core --env {env}With the deployment successfully completed, the object versioning should be enabled for your project (for all files that are uploaded via Webiny File Manager).
When redeploying, make sure to redeploy the project application within which the changes were actually made. In the above example, we’ve made changes within the Core application’s webiny.application.ts file, meaning the Core application needs to be redeployed in order to actually see the changes.
Additional Examples
In this section, we cover a couple of additional examples of modifying cloud infrastructure resources that get deployed with every Webiny project.
Tagging Cloud Infrastructure Resources
The following example shows how to apply tags to all cloud infrastructure resources deployed as part of the Core project application. Note that the same approach can be used for all four applications.
import * as aws from "@pulumi/aws";
import { createCoreApp } from "@webiny/serverless-cms-aws";
import { tagResources } from "@webiny/pulumi-aws";
export default createCoreApp({
pulumi: () => {
// We are assigning Owner and Contact tags, whose values
// are read from runtime environment variables.
tagResources({
Owner: String(process.env["OWNER"]),
Contact: String(process.env["CONTACT"])
});
}
});Note that the tagResources function applies tags only to resources that can actually be tagged. Full list of resources can be found here .
Retrieving the Deployment Environment
Upon running the webiny deploy command, we specify the environment into which we want to deploy our project (or a specific project application). In more complex cases, we may need to retrieve the environment in order to conditionally apply different configuration to our cloud infrastructure.The following example shows how we can read the environment into which the application is being deployed.
import { createCoreApp } from "@webiny/serverless-cms-aws";
export default createCoreApp({pulumiResourceNamePrefix: "wby-",pulumi: ({ params }) => { // We can retrieve the environment name via "run" parameters. const { env } = params.run; if (env === "prod") { // Apply additional configuration. }}});Note that, in the above example, we’ve made the changes within the Core application’s webiny.application.ts configuration file, but the same works with other applications as well.
Furthermore, this approach can also be used with other parameters, not just pulumi. For example, we can use the same approach when defining the resource name prefix.
import { createCoreApp } from "@webiny/serverless-cms-aws";
export default createCoreApp({ pulumiResourceNamePrefix: "wby-", pulumiResourceNamePrefix: ({ params }) => { // We can retrieve the environment name via "run" parameters. const { env } = params.run; if (env === "prod") { // Let's add the "prod" into the prefix. return "wby-prod-"; }
// Not production? Just return the default prefix. return "wby-"; }});Defining Multiple Production Environments
Upon running the webiny deploy command, when prod is passed as the environment name, a Webiny project is deployed in the so-called production deployment mode .On order to use the production deployment mode for environments other than prod, we can use the productionEnvironments parameter. The following example shows how we can use the production mode for the staging environment:
import { createCoreApp } from "@webiny/serverless-cms-aws";
export default createCoreApp({pulumiResourceNamePrefix: "wby-",
// Treats provided environments as production environments, which// are deployed in production deployment mode.productionEnvironments: ["prod", "staging"]});Note that when specifying additional production environments, they should be specified across all project applications, meaning:
- Core (
apps/core/webiny.application.ts) - API (
apps/api/webiny.application.ts) - Admin (
apps/admin/webiny.application.ts) - Website (
apps/website/webiny.application.ts)
Modifying AWS IAM Roles
AWS Lambda - Default GraphQL API Function
The following example shows how you can modify the default AWS IAM role that’s assigned to the AWS Lambda function that represents your default GraphQL API (the one accessed via the https://xyz.cloudfront.net/graphql URL).
import * as aws from "@pulumi/aws";
import { createApiApp } from "@webiny/serverless-cms-aws";
export default createApiApp({
pulumiResourceNamePrefix: "wby-",
pulumi: ({ resources }) => {
const policy = new aws.iam.Policy("ses-policy", {
description: "This policy enables access to Amazon SES.",
policy: {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: ["ses:SendEmail"],
Resource: ["arn:aws:ses:*:*:identity/*"]
}
]
}
});
new aws.iam.RolePolicyAttachment("graphql-role-ses-policy-attachment", {
role: resources.graphql.role.output.name,
policyArn: policy.arn
});
}
});AWS Lambda - Headless CMS GraphQL API Function
The following example shows how you can modify the default AWS IAM role that’s assigned to the AWS Lambda function that represents your Headless CMS GraphQL API (the one accessed via the https://xyz.cloudfront.net/cms/{type}/{locale} URL).
When compared to the example above, the only difference is that here we’re targeting the resources.headlessCms.role role with the aws.iam.RolePolicyAttachment, instead of resources.graphql.role role.
import * as aws from "@pulumi/aws";
import { createApiApp } from "@webiny/serverless-cms-aws";
export default createApiApp({
pulumiResourceNamePrefix: "wby-",
pulumi: ({ resources }) => {
const policy = new aws.iam.Policy("ses-policy", {
description: "This policy enables access to Amazon SES.",
policy: {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: ["ses:SendEmail"],
Resource: ["arn:aws:ses:*:*:identity/*"]
}
]
}
});
new aws.iam.RolePolicyAttachment("graphql-role-ses-policy-attachment", {
role: resources.headlessCms.role.output.name,
policyArn: policy.arn
});
}
});Adding AWS Lambda Functions
Creating a Cron Job
In this example, we introduce a new AWS Lambda function which is triggered once every minute.
Note that the code assumes the AWS Lambda function’s code is located in the apps/api/myCronJob folder. For the full code, please check our webiny-examples GitHub repository.
import * as path from "path";
import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";
import { createApiApp } from "@webiny/serverless-cms-aws";
export default createApiApp({
pulumiResourceNamePrefix: "wby-",
pulumi({ paths }) {
const role = new aws.iam.Role("my-cron-job-fn-role", {
description: "My cron job Lambda function role.",
assumeRolePolicy: {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
Service: "lambda.amazonaws.com"
},
Effect: "Allow"
}
]
}
});
new aws.iam.RolePolicyAttachment(`my-cron-job-fn-role-basic-execution-policy-attachment`, {
role,
policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole
});
const policy = new aws.iam.Policy("my-cron-job-fn-policy", {
description: "My cron job Lambda function policy.",
policy: {
Version: "2012-10-17",
Statement: [
{
// Not recommended. Always use least-privilege principle.
Effect: "Allow",
Action: ["*"],
Resource: ["*"]
}
]
}
});
new aws.iam.RolePolicyAttachment("my-cron-job-fn-role-policy-attachment", {
role: role.name,
policyArn: policy.arn
});
const simpleCronJobFunction = new aws.lambda.Function("my-cron-job-fn", {
runtime: "nodejs14.x",
handler: "handler.handler",
description: "A simple Lambda function that logs time (executed in my cron job).",
role: role.arn,
timeout: 30,
memorySize: 512,
code: new pulumi.asset.AssetArchive({
".": new pulumi.asset.FileArchive(path.join(paths.workspace, "myCronJob/build"))
})
});
const eventRule = new aws.cloudwatch.EventRule("my-cron-job-fn-event-rule", {
description: `My cron job rule.`,
scheduleExpression: "rate(1 minute)",
isEnabled: true
});
new aws.lambda.Permission("my-cron-job-fn-events-permission", {
action: "lambda:InvokeFunction",
function: simpleCronJobFunction.arn,
principal: "events.amazonaws.com",
sourceArn: eventRule.arn
});
new aws.cloudwatch.EventTarget("my-cron-job-fn-event-target", {
rule: eventRule.name,
arn: simpleCronJobFunction.arn
});
}
});Adjusting Amazon Elasticsearch (OpenSearch) Configuration
Amazon Elasticsearch (OpenSearch) is deployed as part of the Core project application. In order to make changes to it, we need to make changes in the apps/core/webiny.application.ts configuration file.
import * as aws from "@pulumi/aws";
import { createCoreApp } from "@webiny/serverless-cms-aws";
import { isResourceOfType } from "@webiny/pulumi";
export default createCoreApp({
elasticSearch: true,
pulumi: ({ onResource }) => {
onResource(resource => {
if (isResourceOfType(resource, aws.elasticsearch.Domain)) {
// Set the instance type.
resource.config.clusterConfig(() => {
return {
instanceType: "t3.small.elasticsearch"
};
});
// Set Elasticsearch (OpenSearch) version.
resource.config.elasticsearchVersion("7.7");
// Change advanced options.
resource.config.advancedOptions({
override_main_response_version: "false",
"rest.action.multi.allow_explicit_index": "true"
});
resource.opts.ignoreChanges = ["advancedOptions", "tags"];
}
});
}
});Adjusting Amazon CloudFront Distribution Configuration
A single Webiny project deploys four Amazon CloudFront distributions: one for API, one for Admin, and two for Website project application.Therefore, if there’s a need to apply a change across all distributions, the change needs to be applied via the following three webiny.application.ts configuration files:
The following example demonstrates how we can adjust the TLS version for the distribution that’s deployed as part of the API project application.
import { createApiApp } from "@webiny/serverless-cms-aws";
export default createApiApp({
pulumi({ resources }) {
resources.cloudfront.config.viewerCertificate(config => {
return { ...config, minimumProtocolVersion: "TLSv1.2_2021" };
});
}
});