https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
m
The glib answer is "magic" 😉
But I'll let @lemon-spoon-91807 and @white-balloon-205 answer that more satisfactorily
b
I intend to tell my developers that, but as the one wearing the security hat I gotta at least be able to tell an auditor what happens 😉
l
Hi ed 🙂 Let me take a look at the example
b
l
Yup. Thanks!
Let me break down what's going on. Feel free to interrupt at any point if you have questions 🙂
First:
Is there documentation somewhere on how that's packaged to be delivered to Lambda/Cloud Functions/etc?
Not yet. But that's on my plate to deliver
But it's a bit dense, so let's just focus on the example you listed
b
This is both super dense and super good.
l
i'm glad you think so. i'm not a great writer, so i'm happy it's at least comprehensible to you
b
(I started in compilers, I ended up running devops teams, so. 😉 )
l
that's a small victory for me.
so. in this case, we are going to serialize that JS function and make it into an AWS lambda.
b
OK, so it looks like it tree-shakes (or equivalent) to pull out dead code on a per-function basis?
l
there is a small amount of tree shaking
that is fairly conservative
b
Yeah, I'd have to think you'd err hard on the side of inclusion
l
basically, in a chain of "x.y.z.w" it will tree shake if possible if it can absolutely prove those intermediary properties are not needed
b
Makes perfect sense
l
here's an example of where/how we can tree shake, and when we can't
x.y.z()
if y is a simple prop, and 'z' is a function that does not use 'this', then we can just capture that function alone.
because invoking the function could not do anything to 'witness' the rest of the state of the 'y' value.
on the other hand, if 'z' was a function that did use 'this', then it might do something like 
this.whatever()
internall, and thus the full 'y' object is needed.
b
Makes sense. And anything referenced from 
x
or 
y
would have to be hoisted separately?
Actually I guess that would be kind of nuts, because you'd be passing 
y.foo
into 
z()
, I retract the question
l
so, if we conservatively prove that data/functions cannot witness the value of hte object they are defined on, then we can emit those properties as is, and elide the rest
b
That's bonkers. I love it.
l
so we would emit something morally equivalent to: 
{ x: { y: { z: function() { ... } } } }
and hte outer object would not have any other props than 'x', and the inner object would not have any other props than 'y', and so on and so forth
b
Makes total sense
l
so going back to that example
there is the JS/TS function.
the only thing it truly captures is the "config" module.
the config module is a local , non-node_modules, module.
basically anotehr way of saying "it's one of your modules"
b
Yep yep. OK, awesome. And since (in an AWS context) this would be running inside a Lambda, it'll include the AWS IAM nonsense, and so creating a client here for accessing, like, Parameter Store would use the lambda's role credentials
l
yes
note: before we continue
can you clarify your secrets concern
because, there are definitely concerns here 🙂
i just want to make sure i'm on the same page as you wrt your concerns
b
The example includes secrets as literals in the pulumi stack, which gives me heartburn. But as above, I can just fetch out of Parameter Store
l
also, when in doubt, always look at the uploaded index.js file in the lambda.
gotcha!
yes. because you shoudl be running with the right AWS creds, you should be able to do that.
also, if you end up with a small piece of sample code, that sounds like something terrific for us to have as a sample
since i imagine many customers would have that need
off to go open an issue for us to create such a sample
b
Right on. AFK a bit, but thank you!
l
if you end up with a bit of code that you end up writing that works, feel free to past into that issue
it'll help me out in terms of writing up the sample 🙂
b
Right on. We use Azure here (AWS is my go-to because I deal with it more) but similar problems, and I'll post something in when I get around to it
Thanks!
Open in Slack
PreviousNext
Powered by