make a proper ApiGatewayToSqs event

[johnduffell]

Having converted ticket tailor lambda to SrCDK in #3153

I noticed that there are a few issues

• API gateway returns a hard coded 200 OK to ticket tailor even if it couldn't write to SQS for any reason (meaning no alarms and no retries)
• the header needed is written to an attribute of the SQS message rather than into its body (sqs attributes seem to be designed for routing etc rather than actual data)
• related to the above, the VTL is custom for that single ticket tailor header, making it not really reusable as an SRCDK thing. we do not have access to anything else from the lambda including pathParameters, headers, queryStringParameters, httpMethod and path.

This PR aims to fix these issues in the ticket tailor lambda, making the ApiGatewayToSqs pattern more robust and reusable. Main changes:

• only return 200 if writing to SQS succeeded, otherwise 500
• write json object containing all useful HTTP fields to SQS, rather than body only. Also add zod schema to parse it back again.

Bonus updates:

• added a tickettailor README view in-branch here so that people know how to test it in CODE in future.
• use the logger throughout, add input email as logger context

See inline comments.

Tested in CODE
https://eu-west-1.console.aws.amazon.com/cloudwatch/home?region=eu-west-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252Fticket-tailor-webhook-CODE/log-events/2025$252F11$252F21$252F$255B$2524LATEST$255Dc927c51551ae4816af123a0b2be7072f

[johnduffell]

this means it will only use 200 response if the SQS response is a 200.
Previously it was using 200 for everything, even if SQS rejected the request due to permissions or other issues

[johnduffell]

by default for any non-2xx response from SQS it will now return a 500. e.g. if there is an SQS outage or credentials issue.
Hopefully this will do two new things:

• prompt ticket tailor to retry,
• trigger the existing API gateway 5xx alarm

(The only tricky thing is investigating - I'm not sure where API gateway logs the integration responses - but this is an existing issue)

[johnduffell]

this is a bit hard to read, it would be easier to look at the CDK.
In essence it's building a JSON payload similar to an APIGatewayProxyEvent to put into the queue

[johnduffell]

these are utility methods to generate VTL that take values or objects from input variables and write them to the json safely
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-parameter-mapping-sources.html

[johnduffell]

This would be generic for all lambdas using ApiGatewayToSqs, but for now let's leave it here.

[johnduffell]

as you can see I've added in a few bits we don't need for the existing lambda - we only need headers at the moment (in fact just one particular header)

The reason I added more is that this is a reusable construct and no one is going to want to fiddle about with VTL expressions just to put a queue in front of an existing lambda.

The idea of replicating the direct proxy lambda data structure (APIGatewayProxyEvent) is to make it as easy as possible to insert a queue in front of an existing lambda.

There would need to be a bit more tidying up of types before that's possible, but that can happen when it's needed.

[johnduffell]

we could slightly simplify things if we were using API gateway V2 SQS service integration [1], but I think we would still need to use VTL to build the body correctly, and it would be more invasive to make that much of a change. We should assess whether v2 is something we should move to for some/all of our APIs as it seems cheaper and more lightweight for common/simple use cases.
[1] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-aws-services-reference.html#SQS-SendMessage

[johnduffell]

I suspect there was supposed to be an alarm on this value and it was missed

[johnduffell]

we have to tell API gateway that 500 is an allowed response code, (otherwise it returns its own 500 error in place of the one we hard coded)

[johnduffell]

this is new the APIGatewayProxyEvent-like type. It can be moved to some kind of router module as and when it's needed in another lambda

[johnduffell]

rather than treating the sqs body as the http body, we actually parse the sqs body to an object with its own nested body (and headers etc).

[johnduffell]

it's always a string now, but it could be missing

[johnduffell]

extracted from validSQSRecord.body below

[johnduffell]

tickettailor-webhook-signature is here instead of in messageAttributes below

[johnduffell]

now these only need to be the simpler ApiGatewayToSqsEvent rather than the whole SQS record

[Copilot]

Pull Request Overview

This PR refactors the ticket-tailor-webhook lambda to improve the ApiGatewayToSqs pattern by moving webhook headers from SQS message attributes into the message body, implementing proper error handling with 500 responses, and replacing console.log with structured logging.

• Modified the API Gateway VTL template to construct a JSON event structure mimicking APIGatewayProxyEvent
• Updated the webhook handler to parse and validate the new event structure using Zod
• Replaced all console.log/console.error/console.warn calls with structured logger calls

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
cdk/lib/cdk/ApiGatewayToSqs.ts	Refactored VTL template to build complete event JSON with headers, query parameters, and path parameters; added 500 error response handling
handlers/ticket-tailor-webhook/src/apiGatewayToSqsEvent.ts	Added new Zod schema and type definition for the ApiGatewayToSqs event structure
handlers/ticket-tailor-webhook/src/index.ts	Updated handler to parse and validate new event structure; replaced console.log with logger
handlers/ticket-tailor-webhook/src/validateRequest.ts	Changed to read signature from headers instead of message attributes; replaced console logging with logger
handlers/ticket-tailor-webhook/src/idapiService.ts	Replaced console.log/console.error with logger calls
handlers/ticket-tailor-webhook/test/testFixtures.ts	Refactored test fixtures to use new ApiGatewayToSqsEvent structure instead of SQS message attributes
handlers/ticket-tailor-webhook/test/validateRequest.test.ts	Updated test references to use new fixture names matching the event body structure
cdk/lib/snapshots/ticket-tailor-webhook.test.ts.snap	Updated snapshots to reflect new VTL template and error responses

[johnduffell]

this is a TODO for another day, it's always nice when a lambda has

• a quick test script you can run after deploying to CODE, and
• a script to run the local code against CODE identity etc and log the output to test the integrations

[johnduffell]

good opportunity to switch to use the logger module which adds some useful context

[johnduffell]

adding the email as context makes it easier to search the logs (e.g. find all log statements where this person/record tried before in the last 14 days)

[johnduffell]

I'm not sure if because it's async it might run the next iteration while it's waiting for the previous one to complete and therefore mix up the contexts?