Skip to content

RFC: Validate incoming and outgoing events utility #95

Closed
@heitorlessa

Description

@heitorlessa

Key information

Summary

This utility helps you validate incoming events from Lambda event sources as well as the response from your Lambda handler - All based on JSON Schemas. You can either validate an entire incoming event including the chosen event source wrapper, or only the event payload/body if you will.

Motivation

Well-Architected Serverless Lens recommends validating events under the Security pillar. As of now, customers have to implement their own validation mechanisms, bring additional dependencies, and end up crafting multiple JSON Schemas for popular event sources.

We could ease that by including in Powertools and lowering the bar for entry.

Proposal

This utility would use the already present Fast JSON Schema lib to validate both incoming and outgoing events using a preferred JSON Schema.

Another plus is that we can use our Middleware Factory to make this easier to implement, and automatically trace it with X-Ray to profile performance impact when necessary.

Validating both inbound/outbound

from aws_lambda_powertools.utilities import validator

@validator(inbound=inbound_schema_dict, outbound=outbound_schema_dict)
def lambda_handler(evt, ctx):
    ...

For customers wanting to validate only the payload of popular event sources, say API Gateway, this utility will work in tandem with an extractor utility - That will provide the following benefits:

  • Validate only the actual event payload of a popular event source
    • e.g. validate API GW POST payload event (event['body']) itself not the whole API GW event
  • Craft your own JSON Schema to help you validate payload as well as things like headers/message attributes, etc.

By default, envelopes will pluck only the payload of a message within the event. Allowing multiple paths can easily add complexity, so we will defer to customers creating their own envelopes if they want to.

Validating inbound with built-in popular event source schemas

from aws_lambda_powertools.utilities import validator
from aws_lambda_powertools.utilities.extractor import envelopes

@validator(inbound=inbound_schema, envelope=envelopes.api_gateway_rest)
def lambda_handler(evt, ctx):
    ...

Drawbacks

  • JSON Schemas are not offered today for Lambda Event Sources; this means maintaining it
  • Validating JSON Schemas can add up to ~25ms during cold start executions
    • Invalid schemas or compiled-once are microseconds

Rationale and alternatives

  • What other designs have been considered? Why not them?: Lambda Decorators Validate - It'd mean bringing two additional dependencies for a single utility, and schema is slower than fastjsonschema we already include in Powertools
  • What is the impact of not doing this?: Customers less experienced with Lambda might end up reinventing the wheel, and accidentally bringing less performant or incorrect validations.

Unresolved questions

  • Should we validate the event source per se, the event within the event source envelope, or both
    • e.g. message body in API GW, message within SQS Array object, etc.
    • UPDATE: We'll create an extractor utility to not violate SRP
  • Should we also optionally serialize the event before validating?

Optional, stash area for topics that need further development e.g. TBD

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

Status

Triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions