Author is making a new lambda for each route.

But you can point each route in API Gateway to a different function in the same lambda.

Additionally, using serverless framework facilitate local testing too.

That solves all the complaints from the author.

That only works if your functions require same resources. If you need different memory/cpu power you're unevenly splitting functions where ever

>>> However I was told by my AWS account manager that auth0 was the way forward, and I agree.

What do they mean by that?

auth0 is a company that sells a variety of authentication solutions (on premise and SaaS) and a variety of authentication libraries/plugins.

For example they run the site https://jwt.io/ that anybody who's had to work with JWT tokens would have used at some point.

Auth0 sell a bunch of authentication products that are similar/compete with cognito.

The difference between cognito and auth0 is that auth0 has documentation, code examples and a decent API guide.

Cognito has a poorly documented API, terrible integration guides and even worse debugging options

Once you have it going, cognito is grand. To get there, its a huge learning curve

The fact that some specific attributes or options cannot change after creation is hard too. Other than that, it's not too bad. But like you said, setting it up takes effort, but a lot of programming is getting to a non trivial hello world.

> CF _could be_ a lot better. Like compile time validation, not just in time.

I've recently finished a project using AWS CDK, which seems to do a certain amount of this. Just using TypeScript and having AWS resource interfaces be fully typed goes a long ways for finding a template mistake quickly.

+1 for CDK. It's the way forward. CloudFormation sucks.

> compile time validation

Oh! I forgot about that mess. Yeah, it takes minutes of deploy time while real resources are spun up to catch some really basic mistakes.

Terraform plan catches a lot of issues, but I've seen cases where it misses something.

I haven't seen a scenario where TF plan AND apply miss something, but I have definitely been in the scenario where a CF stack fails, and then the rollback fails, and then you're stuck with an undeletable resource and can only submit a ticket to AWS.

Ditto on both counts: we stopped using CF after hitting one of those irrecoverable bugs — usually deleting the resources manually and ignoring all the errors deleting the stack would recover after a cycle or two but we hit at least one case where that wasn’t true.

I had a lot of uncatched issues while migrating from tf11 to tf12, as far as I remember it was due to heavy module usage.

Why is (no, kafka is never the answer)?

Large, painful to configure, high latency and difficult to look after.

Not sure I understand the "large" comment. Painful to configure.. have you looked at CP-Ansible: https://github.com/confluentinc/cp-ansible

High Latency: Kafka's latency depends on your configuration and infrastructure. It has some of the lowest latency out there when configured correctly.

Curios to know why you find it difficult to look after? It's super stable, and is pretty easy to monitor via JMX.

Curious to hear more details about your thoughts on this. I've done some pretty significant improvements around my team's use of it in the last few months and can't say I've had this experience. The difficulties with it really, to me, seem to be a case of batteries-not-included, speaking as someone who had never run it prior to last August.

> difficult to look after.

Agree with this 100%. But what about hosted kafka solutions?

> high latency

Not sure I understand this point.

What makes it difficult to look after? Genuinely curious. I've run it in production for years and its been pretty solid.

What are good Kafka alternatives? There got to be some Go written one somewhere ;)

NATs is one. Although it has some limitations.

NATS.io and Kafka seem very different, the former not being able to do at least once guarantees, no?

I've used Cognito for personal/pet web app projects before. It was good for my use case - quick and cheap user authentication.

The simpler the better. In my limited experience once we started fleshing out users to admins, managers, and users, in a multi-tenanted environment, we pretty quickly ran up against Cognito limitations which surprised me.

(Cognito groups seemed made for this, except they have a limit of 10k groups. We ended up storing a comma-separated list of ids in a custom cognito tag, which seemed awkward.)

Oh it can be!

but the documentation is utterly pitiful

I highly recommend cfn-lint [1]. As someone who has been writing CFN for a living for the past few months, it’s a godsend.

[1]: https://github.com/aws-cloudformation/cfn-python-lint

seriously, an AWS account manager told you to use a competitor? is this common? in a normal company salespeople might lose their jobs for saying that.

> in a normal company salespeople might lose their jobs for saying that.

Quite a few times over my career I have had a salesperson (not from Amazon) recommend a competitor over their own product. In every single case my respect for the salesperson shot way up. In at least two cases I can recall this helped them close a sale.

A smart salesperson does not do everything possible to push their company's products... a smart salesperson solves their customers' problems.

> A smart salesperson does not do everything possible to push their company's products

Bingo. A bad product fit means a bad customer experience, which means a bad review or reputation.

The smaller the company, the more important referrals are from your customers. Sending a potential customer to a competitor will (potentially) earn goodwill and future referrals. At worst, they might not refer anyone your way, but at least they won't be badmouthing you either.

Unfortunately, large companies typically mean large customers, and the people with the buying power aren't the people who will be using the product... so neither party really cares all that much about how well the product fits. This is the old "nobody gets fired for choosing IBM" mentality.

The worst is when medium companies think they are big companies, and try to do that to small customers. I once saw a salesperson push hard for something that was very obviously too small to be worth our time, and the project management overhead would have lead to blowing our potential customer's budget out of the water. In the end, they walked away without working with us, and a pretty sour taste in their mouths from the pushiness of the sales guy.

Yup.

If you look at it from their point of view:

We were making an API that take images does stuff on the GPU and pushes back an answer

It needed to be secure, fast and easy to look after. If they had forced cognito down my throat, and it stopped me from shipping on time, they would have missed out in $$$ of GPU time. I trusted that architect more, because they were honest, and actually helped. Making me want to stay inside the expensive walled garden that is AWS, more.

Also, consider that the key to being successful in enterprise sales is all about relations. When that account rep leaves Amazon, they want to be able to use the relationship they have with you with whatever product they end up selling later.

Amazon doesn’t care what you use as long as you’re staying in their broader ecosystem.

I think it comes down to the “more flies with honey” thing. The customer will go on the defensive and shutdown if you tell them they’re stupid.

Rather they're watching what others do on their platform and then make their own products based on it, same as on Amazon.com

I've also had AWS support go way outside the realm of what they officially support, to help us get the job done. Hell, I've had AWS support people help me debug problems in Terraform when it was pretty apparent that the issue was on the AWS side. "Pretend I'm doing this by hand."

I've had an AWS account manager suggest to me to use Auth0 rather than Cognito for some scenarios as well.

Doesn't CF with dry-run enabled help with some of the compile-time validation?