Required Elements

If any elements in the below list are not checked, this repo will fail standards compliance.

• Not running node 4 or below
• Has at least some test coverage?
• Has a README?
• Has no hard-coded critical secrets like API keys?

Rubric

• 1 pt Is in Version Control/Github ✅ (free points)
• 1-2 pt node version:
  • 2 pt Best: running node 8+ 🏅
  • 1 pt Questionable: node 6
  • 0 pt Not ok: running node4 or below ⛔️
• 1 pt No hard-coded config parameters?
• 1 pt No special branches that need to be deployed?
  • Unsure of context on branch g++
• 1 pt All production stacks on latest master?
• 1 pt No hard-coded secrets like API keys?
• 1 pt No secrets in CloudFormation templates that don’t use [secure]?
• 1 pt CI enabled for repo?
• 1 pt Not running Circle CI version 1? (Point awarded if using Travis)
• 1 pt nyc integrated to show test coverage summary?
• 1-3 pt test coverage percentage from nyc?
  • 3 pt High coverage: > 90%
  • 2 pt Moderate coverage: between 75 and 90% total coverage
  • 1 pt 0 - 74% test coverage
• 1-2 pt evidence of bug fixes/edge cases being tested?
  • 2 pt Strong evidence/several instances noted
  • 1 pt Some evidence
• 1 pt no flags to enable different functionality in non-test environments?
• 1 pt Has README?
• 1-2 pt README explains purpose of a project and how it works to some detail?
  • 2 pt High (but appropriate) amount of detail about the project
  • 1 pt Some detail about the project documented, could be more extensive
• 1 pt README contains dev install instructions?
• 1 pt README contains CI badges, as appropriate?
• 1-2 pt Code seems self-documenting: file/module names, function names, variables? No redundant comments to explain naming conventions?
  • 2 pt Strongly self-documented code, little to no improvements needed
  • 1 pt Some evidence of self-documenting code
• 1 pt No extraneous permissions in IAM roles?
• 1 pt Stack has alarms for AWS resources used routed to PagerDuty? (CPU utilization, Lambda failures, etc.)
• 1 pt Stack has other appropriate alarms routed to PagerDuty? (Point awarded if no other alarms needed)
• 1 pt Alarms documented?
  • In progress: #29
• master branch protected?
  • 1 pt PRs can only be merged if tests are passing?
  • 1 pt PRs must be approved before merging?
• 2 pt BONUS: was this repo covered in a deep dive at some point?

Total possible: 30 points (+2 bonus)
Grading scale:

Repo grade: 25 - Scaled Grade 4

/cc @mapbox/assembly-line

• ForwarderLambdaErrorAlarm
• StatusLambdaErrorAlarm
• GatekeeperLambdaErrorAlarm
• TriggerLambdaErrorAlarm

cc @rclark

Ran into a stork alarm today with some stork errors regarding an "unprocessable entity"

sample:

{ HTTPError: Response code 422 (Unprocessable Entity)
    at stream.catch.then.e (/var/task/node_modules/got/index.js:123:13)
    at process._tickDomainCallback (internal/process/next_tick.js:135:7)
  message: 'Response code 422 (Unprocessable Entity)',
  host: 'api.github.com',
  hostname: 'api.github.com',
  method: 'POST',
  path: <repo path>,
  statusCode: 422,
  statusMessage: 'Unprocessable Entity' }

@rclark determined that the end of that path is a sha, and some quick investigating it became clear that sha was not present on github.

It looks like stork will error when a sha is force pushed or deleted.

cc: @rclark

edited: removed repo path (@kellyoung)

Today, we got an alarm because the trigger function error'ed when an incorrectly named .yml file was used.

2017-11-02T18:36:28.441Z    bc7ecdd9-bffc-11e7-aba8-f192b47c1978
{
    "errorMessage": "ENOENT: no such file or directory, open '/var/task/buildspecs/node4.3.yml'",
    "errorType": "Error",
    "stackTrace": [
        "Error (native)",
        "Object.fs.openSync (fs.js:641:18)",
        "Object.fs.readFileSync (fs.js:509:33)",
        "getDefaultBuildspec (/var/task/lambda.js:318:13)",
        "githubToken.then.then.then.then (/var/task/lambda.js:396:33)",
        "process._tickDomainCallback (internal/process/next_tick.js:135:7)"
    ]
}

We should modify the trigger function so that it handles errors such as spelling errors in a different way.

cc/ @mapbox/platform

Add logging to back to the status lambda for alarm debugging.

This is set up right now such that you could run a bundle-shepherd stack in each AWS region you want to write bundles to, and then subscribe your repository to all of the webhook urls.

It would be better if one stack could write to several locations. This can't be done with the out-of-the-box codebuild artifacts settings. It has to be done via custom code.

• I want to hook up my node.js repo for lambda bundles
• I want to hook up my python2.7 repo for lambda bundles
• Where are my bundles?
• I want to hook up a custom codebuild continuous integration service

We're going with npm for our lockfiles

Right now we only pass the NPM_ACCESS_TOKEN variable in the codebuild project to be able to install nodejs package from public and private repo.

When it comes to Python sadly there is not such private and public packages, to overcome this we can use private GitHub repo (pip3 install git+https://$GITHUB_ACCESS_TOKEN:[email protected]/blaabla/blabla.git), but to be able to do so within the codebuild project we need to have access to the GITHUB_ACCESS_TOKEN.

@rclark Do you think we could add this variable into the project ?

Does Stork allow for targeting subdirectories with their own package.json for zipping?

Use Case

I have a repo that is using step functions to create and monitor the progress of ecs-watchbot jobs. the repo has a single package.json which includes the dependencies for both the lambda step functions and the ecs-watchbot worker. Unfortunately the ecs-watchbot worker has dependencies that have build steps that depend on system libs that are not on the stork images.

Current work arounds

Using a custom stork image or moving the install of culprit dependencies into the ecs-watchbot Dockerfile. I would love to be able to have stork use an image representative of the lambda runtime, keep all my dependencies in a package.json and not have stork zip any dependencies not used by my lambda functions.

Proposed change

If I could keep all of my lambda functions in their own directory with its own package.json and have stork target that directory I could avoid having to do any workaround nasty-jams and keep any ecs-watchbot only node_modules out of the lambda .zips

Lambda supports nodejs4.3, we should support it too.

According to this documentation, git URLs are valid npm dependencies in a package.json file: https://docs.npmjs.com/files/package.json#git-urls-as-dependencies

However, stork errors with this message:

[Container] 2017/12/21 15:16:02 Running command npm install --production
npm ERR! code ENOGIT
npm ERR! No git binary found in $PATH
npm ERR! Failed using git.
npm ERR! Please check if you have git installed and in your PATH.

Would it make sense to include git as a dependency in the node dockerfiles? Or should I use a custom buildspec.yaml in that situation?

https://aws.amazon.com/about-aws/whats-new/2018/04/aws-lambda-supports-nodejs/ it would be v. legit if Stork supported the node 8.10 runtime

A very rare occurrence, from the trigger function's logs:

2017-10-05T20:35:40.161Z	bfa880b4-aa0c-11e7-b661-3b257937c083
{
    "errorMessage": "Unexpected token < in JSON at position 0 in \"https://api.github.com/app\": \n<!DOCTYPE html>\n<html>\n  <head>\n    <meta http-equiv=\"Content-type\" content=\"...",
    "errorType": "ParseError",
    "stackTrace": [
        "<!DOCTYPE html>",
        "<html>",
        "  <head>",
        "    <meta http-equiv=\"Content-type\" content=\"...",
        "stream.catch.then.e (/var/task/node_modules/got/index.js:118:14)",
        "process._tickDomainCallback (internal/process/next_tick.js:135:7)"
    ]
}

The error occurred somewhere in this bit of code, which involves getting a github token, and then checking for buildspec.yml and/or .stork.json in the repository.

Next steps

• why does this stack trace suck so hard?
• where can we catch this parse error so we can either surface the github api error or retry the request?

cc @kellyoung

We saw 404's on stork today when:

• there had been a recent commit to to-fix-internal
• @rclark removed stork from to-fix-internal shortly after the commit

End result was

2017-10-30T20:40:44.102Z    99a31736-bdb2-11e7-8ec9-fd593e309025    { HTTPError: Response code 404 (Not Found)
at stream.catch.then.e (/var/task/node_modules/got/index.js:123:13)
at process._tickDomainCallback (internal/process/next_tick.js:135:7)
message: 'Response code 404 (Not Found)',
host: 'api.github.com',
hostname: 'api.github.com',
method: 'POST',
path: '/repos/mapbox/to-fix-internal/statuses/0eb154f84c9ed67ae8892dd754516cb69689ace2',
statusCode: 404,
statusMessage: 'Not Found' }

That gitsha exists, but stork couldn't see it any longer because it no longer had access to to-fix-internal

The errors subsided on its own after the initial trouble; posting this ticket to document another github api edge case where stork can run into trouble.

cc: @rclark

A while ago we built a demo that runs an Alexa Skill on a Lambda, this was built with Java because we used Mapbox Java Services (https://github.com/mapbox/mapbox-java). The code for the Lambda can be found on https://github.com/mapbox/mapbox-assistant-example.

Right now, we're manually building the .zip file every time there's a new release (make build in the root folder) which is far from ideal. We'd love to use Stork instead.

By looking at the current documentation, looks like only Node and Python are supported, so I'd like to explore the option of supporting Java as well (if this is possible). From the docs, looks like I should start by contributing a new Dockerfile that enables Java. As I'm not super-familiar with Stork, is there anything else that I should do? Is this possible at all?