https://pulumi.com logo
b

boundless-monkey-50243

08/23/2018, 8:33 PM
With one question (awesomely) answered, I had one other implementation question with regards to serverless queues etc - the subscription logic in
aws-js-sqs-slack
is inline in the module. Is there documentation somewhere on how that's packaged to be delivered to Lambda/Cloud Functions/etc? The
package.json
file includes
@slack/client
, so is it just packing the entire Pulumi module definition and shipping it up? (That has some potential implications with regards to secrets, hence the question)
m

microscopic-florist-22719

08/23/2018, 8:34 PM
The glib answer is "magic" 😉
But I'll let @lemon-spoon-91807 and @white-balloon-205 answer that more satisfactorily
b

boundless-monkey-50243

08/23/2018, 8:34 PM
I intend to tell my developers that, but as the one wearing the security hat I gotta at least be able to tell an auditor what happens 😉
l

lemon-spoon-91807

08/23/2018, 8:35 PM
Hi ed 🙂 Let me take a look at the example
l

lemon-spoon-91807

08/23/2018, 8:35 PM
Yup. Thanks!
Let me break down what's going on. Feel free to interrupt at any point if you have questions 🙂
First:
Is there documentation somewhere on how that's packaged to be delivered to Lambda/Cloud Functions/etc?
Not yet. But that's on my plate to deliver
But it's a bit dense, so let's just focus on the example you listed
b

boundless-monkey-50243

08/23/2018, 8:39 PM
This is both super dense and super good.
l

lemon-spoon-91807

08/23/2018, 8:39 PM
i'm glad you think so. i'm not a great writer, so i'm happy it's at least comprehensible to you
b

boundless-monkey-50243

08/23/2018, 8:39 PM
(I started in compilers, I ended up running devops teams, so. 😉 )
l

lemon-spoon-91807

08/23/2018, 8:39 PM
that's a small victory for me.
so. in this case, we are going to serialize that JS function and make it into an AWS lambda.
b

boundless-monkey-50243

08/23/2018, 8:40 PM
OK, so it looks like it tree-shakes (or equivalent) to pull out dead code on a per-function basis?
l

lemon-spoon-91807

08/23/2018, 8:40 PM
there is a small amount of tree shaking
that is fairly conservative
b

boundless-monkey-50243

08/23/2018, 8:41 PM
Yeah, I'd have to think you'd err hard on the side of inclusion
l

lemon-spoon-91807

08/23/2018, 8:41 PM
basically, in a chain of "x.y.z.w" it will tree shake if possible if it can absolutely prove those intermediary properties are not needed
b

boundless-monkey-50243

08/23/2018, 8:42 PM
Makes perfect sense
l

lemon-spoon-91807

08/23/2018, 8:42 PM
here's an example of where/how we can tree shake, and when we can't
x.y.z()
if y is a simple prop, and 'z' is a function that does not use 'this', then we can just capture that function alone.
because invoking the function could not do anything to 'witness' the rest of the state of the 'y' value.
on the other hand, if 'z' was a function that did use 'this', then it might do something like
this.whatever()
internall, and thus the full 'y' object is needed.
b

boundless-monkey-50243

08/23/2018, 8:43 PM
Makes sense. And anything referenced from
x
or
y
would have to be hoisted separately?
Actually I guess that would be kind of nuts, because you'd be passing
y.foo
into
z()
, I retract the question
l

lemon-spoon-91807

08/23/2018, 8:44 PM
so, if we conservatively prove that data/functions cannot witness the value of hte object they are defined on, then we can emit those properties as is, and elide the rest
b

boundless-monkey-50243

08/23/2018, 8:44 PM
That's bonkers. I love it.
l

lemon-spoon-91807

08/23/2018, 8:44 PM
so we would emit something morally equivalent to:
{ x: { y: { z: function() { ... } } } }
and hte outer object would not have any other props than 'x', and the inner object would not have any other props than 'y', and so on and so forth
b

boundless-monkey-50243

08/23/2018, 8:47 PM
Makes total sense
l

lemon-spoon-91807

08/23/2018, 8:47 PM
so going back to that example
there is the JS/TS function.
the only thing it truly captures is the "config" module.
the config module is a local , non-node_modules, module.
basically anotehr way of saying "it's one of your modules"
b

boundless-monkey-50243

08/23/2018, 8:48 PM
Yep yep. OK, awesome. And since (in an AWS context) this would be running inside a Lambda, it'll include the AWS IAM nonsense, and so creating a client here for accessing, like, Parameter Store would use the lambda's role credentials
l

lemon-spoon-91807

08/23/2018, 8:49 PM
yes
note: before we continue
can you clarify your secrets concern
because, there are definitely concerns here 🙂
i just want to make sure i'm on the same page as you wrt your concerns
b

boundless-monkey-50243

08/23/2018, 8:50 PM
The example includes secrets as literals in the pulumi stack, which gives me heartburn. But as above, I can just fetch out of Parameter Store
l

lemon-spoon-91807

08/23/2018, 8:51 PM
also, when in doubt, always look at the uploaded index.js file in the lambda.
gotcha!
yes. because you shoudl be running with the right AWS creds, you should be able to do that.
also, if you end up with a small piece of sample code, that sounds like something terrific for us to have as a sample
since i imagine many customers would have that need
off to go open an issue for us to create such a sample
b

boundless-monkey-50243

08/23/2018, 8:53 PM
Right on. AFK a bit, but thank you!
l

lemon-spoon-91807

08/23/2018, 8:57 PM
if you end up with a bit of code that you end up writing that works, feel free to past into that issue
it'll help me out in terms of writing up the sample 🙂
b

boundless-monkey-50243

08/23/2018, 9:08 PM
Right on. We use Azure here (AWS is my go-to because I deal with it more) but similar problems, and I'll post something in when I get around to it
Thanks!