Case Study

Serverless API Platform — Use Case

This is a small, focused project to show how modern apps can run without managing servers. Stack: API Gateway, Lambda (Python), DynamoDB, EventBridge, Cognito. Provisioned with Terraform. Deployed with GitHub Actions OIDC.

API Gateway (HTTP API) Lambda DynamoDB On-Demand EventBridge → CloudWatch Cognito Hosted UI Terraform · OIDC

Problem

Teams need quick, secure APIs without the overhead of servers or containers. Traditional setups add cost, patching, and scaling work when you just need a reliable backend.

Solution

Endpoints:

  • /public — health check returning { "ok": true }
  • /items — protected; signed-in users can create and read items

Data is stored in DynamoDB. Each new item emits an EventBridge event that lands in CloudWatch Logs. This is a simple fan-out pattern you can extend for notifications, analytics, or other consumers.

Auth uses Cognito Hosted UI, so the API never sees passwords. Flow: User signs in → gets short-lived token → API Gateway verifies → Lambda runs → writes to DynamoDB → emits EventBridge event.

In short: User → API Gateway → Lambda → DynamoDB (+ EventBridge)

Everything is defined in Terraform and deployed via GitHub Actions OIDC (short-lived creds — no stored secrets).

Why Serverless

  • No servers to patch or scale
  • Pay per request/invocation
  • DynamoDB On-Demand auto-scales storage
  • HTTP API pricing (cheaper than REST)
  • Lambda + short timeouts
  • Log retention trimmed to 7 days

CI/CD Without Secrets

GitHub Actions uses OIDC to assume an AWS role with short-lived credentials. Terraform compares config to state in S3 and applies only what changed — clean, idempotent deploys with no key sprawl.

What I Shipped

  • /public and /items endpoints
  • Cognito Hosted UI sign-in
  • DynamoDB persistence
  • EventBridge → CloudWatch event trail
  • Terraform IaC
  • GitHub Actions OIDC automation

How to Try It

  1. Open /public — should return { "ok": true }.
  2. Sign in via Cognito Hosted UI and copy the ID token.
  3. POST to /items with header: 
    Authorization: Bearer <ID_TOKEN>
  4. Check DynamoDB for the item.
  5. See the event in CloudWatch Logs via EventBridge.

Lessons Learned

  • State matters: S3 backend prevents duplicate resources.
  • Least privilege: CI role scoped to required actions only.
  • Keep it simple: EventBridge → CloudWatch needs no extra role.
  • Idempotence: Import existing resources to avoid “already exists”.

Outcome

A secure, automated backend with zero servers and zero secrets. Fast to deploy, cheap to run, and easy to extend — a solid base for personal tools, prototypes, or small SaaS apps.