• Update registrar to the new /deployments admin API
• Various accumulated API improvements and cleanups
• Release in sync with the 0.7.0 Restate release, tag it as 0.7.0 for clarity

Fix several known issues in register-service-handler.ts as of 2023-11-20.

The registration response looks like this:

% curl -X POST http://localhost:9070/endpoints -H 'content-type: application/json' -d '{"arn": "arn:aws:lambda:eu-central-1:663487780041:function:pavel-RestateStack-GreeterA41DC22A-o8knTdFWTHtj:3"}' -m 3
{"id":"YXJuOmF3czpsYW1iZGE6ZXUtY2VudHJhbC0xOjY2MzQ4Nzc4MDA0MTpmdW5jdGlvbjpwYXZlbC1SZXN0YXRlU3RhY2stR3JlZXRlckE0MURDMjJBLW84a25UZEZXVEh0ajoz","services":[{"name":"Greeter","revision":1}]}

Setup example with sdk java and test it's correctly working with lambda.

CloudFormation stack outputs must be unique within the account. The LambdaServiceRegistry construct creates such an output to hold the value of the custom resource provider ARN but it's not unique per deployment, leading to errors like this when more than one CDK stack containing this Restate construct is deployed to the same account:

Export with name RegistrationProviderToken is already exported by stack LambdaTsCdkStack. Rollback requested by user.

Set a higher default read timeout for nginx, and make it configurable.

The Restate AWS Lambda endpoints do not authenticate incoming requests; these currently happen via unauthenticated API Gateway HTTP REST API. Migrate to the native Lambda::InvokeFunction mechanism introduced in Restate 0.5.0.

Replace the ALB load balancer that is exposing the Restate ingress endpoint to the world. Ideally we want all of these properties:

• Add support for HTTPS

• As a further cost optimization we can also offer the option of using a Lambda-based HTTP reverse proxy as documented in [1]

[1]. https://dev.to/aws-builders/serverless-proxy-with-aws-api-gateway-and-aws-lambda-3bd2

In scope:

• other than endpoint configuration, any service handler CDK stack should not be any different between self-hosted and managed modes
• customers should have a comparable deployment experience when building with CDK, whether they are deploying a self-hosted Restate instance with CDK or only handlers registered with a managed service endpoint
• update the restate-holiday example to support a one-command deployment to a pre-provisioned managed cluster

The following code fails to deploy with @restatedev/[email protected]:

const app = new cdk.App();
const stack = new cdk.Stack(app, "e2e-RestateServerEC2", {
  env: { account: app.node.getContext("account"), region: app.node.getContext("region") },
});

const handler: lambda.Function = new lambda.Function(stack, "Service", {
  runtime: lambda.Runtime.NODEJS_LATEST,
  code: lambda.Code.fromAsset("bundle.js"),
  handler: "handler",
});

const environment = new SingleNodeRestateDeployment(stack, "Restate", {
  logGroup: new logs.LogGroup(stack, "RestateLogs", {
    retention: logs.RetentionDays.ONE_MONTH,
    removalPolicy: cdk.RemovalPolicy.DESTROY,
  }),
});

const deployer = new ServiceDeployer(stack, "ServiceDeployer", {
  logGroup: new logs.LogGroup(stack, "Deployer", {
    retention: logs.RetentionDays.ONE_MONTH,
    removalPolicy: cdk.RemovalPolicy.DESTROY,
  }),
  // vpc,
  // vpcSubnets,
});

deployer.deployService("Greeter", handler.currentVersion, environment, {
  private: false,
  insecure: true, // self-signed certificate
  skipInvokeFunctionGrant: true,
});

The deployment error is:

UPDATE_ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: Giving up after 3 attempts. Last error: Registration failed (500): {"message":"[META0003] client error: lambda service returned error: dispatch failure: other: an error occurred while loading credentials: service error: unhandled error (AccessDenied): Error { code: \"AccessDenied\", message: \"User: arn:aws:sts::663487780041:assumed-role/LambdaTsCdkStack-RestateInstanceRoleACC59A6F-Eoxwkukngoh4/i-07ee19f38ba94329c is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::663487780041:role/LambdaTsCdkStack-RestateInstanceRoleACC59A6F-Eoxwkukngoh4\", aws_request_id: \"25ae3770-3216-4073-b358-977683c0cafa\" } (DispatchFailure(DispatchFailure { source: ConnectorError { kind: Other(None), source: ProviderError(ProviderError { source: ServiceError(ServiceError { source: Unhandled(Unhandled { source: ErrorMetadata { code: Some(\"AccessDenied\"), ...

This is because the SingleNodeRestateDeployment class exposes the EC2 instance profile role as the "invoker role" but Restate is already implicitly running with this, and trying to assume itself.

The RestateCloudEnvironment construct creates a "RestateServiceInvokerRole" with a hard-coded trust policy for our gated-signup Managed Cluster to assume. This should work out of the box with future iterations of Restate Cloud, but it should also provide the user this construct sufficient flexibility to manage the role and its trust policy directly, if they so wish.

The code in question is: https://github.com/restatedev/cdk/blob/42e5444b402d4066852877f3de413cbf5feb77dd/lib/restate-constructs/restate-cloud-environment.ts#L49-L53

Proposed solution

The simplest solution would be to parametrize the construct properties to supply:

• [Optional] Restate Cloud Environment stage – indicates whether the well-known production Restate Cloud source caller is to be trusted, or some other principal from a typed enum(default, when available)
• [Optional] Inject a role reference directly, which the developer is responsible for maintaining and setting up

The information published at https://www.npmjs.com/package/@restatedev/restate-cdk is very sparse; it should contain some pointers on getting started with the CDK and probably a link to restatedev/examples#50 once merged.

As part of our positioning for Restate within the AWS Serverless community, we want native-feeling CDK support for deploying Restate services. Additionally, we can provide an easy ramp for deploying self-hosted Restate on AWS using the same mechanism. This issue tracks the minimal requirements for a Restate CDK construct library that supports the following:

• Easily deploy Restate to AWS in a native, low-cost way that is suitable for dev/test and evaluation purposes; it should provide reasonable durability but no effort is made to ensure high availability
• Makes a basic effort to assist customers with operating the Restate infrastructure (e.g. sets up instance OS patching out of the box)
• Supports deploying AWS Lambda-based Restate services as easily as managing any other Lambda function in CDK
• The initial version will only support TypeScript