Serverless Trading API

A Magic: The Gathering card trading platform built as a serverless API. Users register and authenticate through Cognito, make requests through API Gateway V2 with JWT authorization, and Lambda functions handle business logic against a DynamoDB table with KMS encryption. The entire stack deploys through a CI/CD pipeline with Lambda traffic shifting via CodeDeploy.

Services

Service Role
API Gateway V2 HTTP API with routes, Lambda integration, JWT authorizer, and auto-deploy stage
Lambda Go function on provided.al2023 runtime handling all API operations
DynamoDB Single-table design with a GSI, encrypted with KMS (SSE-KMS)
Cognito User pool with client for registration, confirmation, and JWT token issuance
KMS Customer-managed key for DynamoDB encryption at rest
IAM Six least-privilege roles for Lambda, API Gateway, CI/CD services
S3 Pipeline artifact bucket
CodeCommit Git repository hosting Lambda source code
CodeBuild Compiles Go binary and produces function.zip in Docker
CodeDeploy Lambda AllAtOnce traffic shifting to new version
CodePipeline Orchestrates Source, Build, Deploy stages

Architecture

Cognito User Pool --> JWT tokens
                        |
Client --> API Gateway V2 HTTP API (JWT authorizer)
             |
             v
           Lambda (Go, provided.al2023)
             |
             v
           DynamoDB (single table, SSE-KMS)

The application uses DynamoDB single-table design with composite keys. Users, binders (card collections), and cards share one table, partitioned by user ID. A GSI supports querying trades by status. Trades follow a lifecycle: OPEN, COUNTERED, COMPLETED, or DECLINED.

CI/CD deploys the Lambda function through CodePipeline: CodeCommit source, CodeBuild compiles Go to function.zip, and CodeDeploy applies AllAtOnce traffic shifting to the Lambda alias.

What This Validates

  • API Gateway V2 HTTP API with Lambda proxy integration and v2.0 payload format
  • JWT authorization via Cognito User Pool JWKS endpoint
  • Cognito user lifecycle: SignUp, AdminConfirmSignUp, InitiateAuth with USER_PASSWORD_AUTH
  • Lambda synchronous invocation from API Gateway with Go provided.al2023 runtime
  • DynamoDB single-table design with GSI and KMS envelope encryption
  • CodeDeploy Lambda AllAtOnce traffic shifting with alias management
  • Full CI/CD pipeline executing Docker-based Go compilation and deployment

Test Coverage

Tests cover CI/CD pipeline execution with artifact verification, smoke checks for API Gateway health and Lambda invocation, integration tests for the full authentication flow (signup, login, JWT-protected requests) and CRUD operations (users, binders, cards, trade lifecycle), security tests for DynamoDB KMS encryption and IAM role scoping, and performance tests with 50 concurrent health checks and 20 concurrent authenticated requests.