SkillAgentSearch skills...

Picofun

Code generator for Python based Lambda functions that consume APIs defined in Open API spec files

GenerateConvertImprove

Install / Use

/learn @proactiveops/Picofun
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

PicoFun

There's little fun in writing boilerplate

PicoFun is a tool for generating Python based API clients. The client for each endpoint is packaged as an AWS Lambda function. Infrastructure as Code (Terraform or AWS CDK) is also generated to deploy the clients to AWS. The generated functions are designed to be invoked using Step Functions or the Lambda Invoke API.

PicoFun supports OpenAPI 3.x and Swagger 2.0 spec files out of the box, with a pluggable parser architecture for additional formats.

Installation

PicoFun can be installed using uv, but it is recommended to use uvx. This is particularly useful in a CI/CD pipeline. Invoke PicoFun with uvx like this:

uvx picofun [ARGS]

If you need to install uv/uvx, please refer to the documention.

Configuration

PicoFun is configured using a TOML file. The default configuration file is picofun.toml in the current working directory. An alternative location for the configuration file can be specified using the optional --config argument.

The configuration file has the following structure:

bundle="/path/containing/code/to/bundle/into/build" # default is none
iac="terraform" # default is "terraform". Set to "cdk" for AWS CDK output
iam_role_prefix="my-prefix-" # default is "pf-" for PicoFun
include_endpoints="include-endpoints.yaml" # default is none, generates all endpoints if omitted
layers=[ # default is none, but if AWS Powertools isn't present it is added
  "arn:aws:lambda:us-east-1:012345678910:layer:example:1",
  "arn:aws:lambda:us-east-1:012345678910:layer:another-example:123"
]
output_dir="/path/to/write/output-files" # default is current-working-directory/output
postprocessor="fully.qualified.reference.to.postprocessor" # default is none
preprocessor="fully.qualified.reference.to.preprocessor" # default is none
role_permissions_boundary="arn:aws:iam::012345678910:policy/..." # default is none
subnets=[ # default is none. Must be set if vpc_id is set
  "subnet-1234567890abcdef0",
  "subnet-234567890abcdef01"
]
template_path="/path/to/templates" # default is current-working-directory/templates
xray_tracing=false # default is to enable xray tracing, set this to false to turn it off
vpc_id = "vpc-0011223344556677f" # Default is none. Must be set if using subnets

[auth]
enabled=true # default is true. Set to false to disable automatic authentication
ttl_minutes=5 # default is 5 minutes. TTL for caching credentials in Lambda memory

[server] # Optional: Override or customize server URLs from OpenAPI spec
url = "https://api.example.com" # Full URL override (mutually exclusive with variables)
# OR
variables = { subdomain = "api", version = "v2" } # Override server URL variables

[tags] # defaults to none
key="value"
anotherKey="some other value"

Server URL Configuration

Some OpenAPI specs define server URLs with variables (e.g., https://{subdomain}.example.com/api/{version}). The [server] block allows you to:

  1. Override the entire server URL: Use url to replace the spec's server URL completely
  2. Customize server variables: Use variables to provide or override default values for tokenized URLs

Note: url and variables are mutually exclusive. You must use one or the other, not both.

Examples:

# Override the entire server URL
[server]
url = "https://production.api.example.com"

or

# Override specific variables in a tokenized URL
# If spec has: https://{environment}.example.com/api/{version}
[server]
variables = { environment = "staging", version = "v2" }

Server variables from the config override any defaults in the spec. Variables without defaults (in either spec or config) trigger a fatal error.

Supported Formats

PicoFun uses a pluggable parser architecture to convert API specifications into a canonical intermediate representation. The spec format is auto-detected by default.

Built-in Parsers

| Format | Detected via | --format value | |---|---|---| | OpenAPI 3.x | openapi: "3.x.x" field | openapi3 | | Swagger 2.0 | swagger: "2.0" field | swagger2 |

Format Override

Use the --format CLI flag to bypass auto-detection and force a specific parser:

picofun --format swagger2 myapi spec.json

Third-party Parsers

Additional parsers can be registered as plugins via the picofun.parsers entry point group. A plugin must subclass picofun.parsers.BaseParser and implement can_parse() and parse() methods.

Register the plugin in your package's pyproject.toml:

[project.entry-points."picofun.parsers"]
myformat = "my_package.parser:MyFormatParser"

Once installed, the parser is automatically discovered and available for both auto-detection and the --format flag.

Usage

PicoFun is invoked using the picofun command. The minimum arguments required to invoke PicoFun are the project namespace and the OpenAPI spec file. The project namespace is used to generate the names of the generated functions and the terraform module. The OpenAPI spec file is used to generate the clients.

Here is a minimal example:


uv -m picofun example https://raw.githubusercontent.com/OAI/OpenAPI-Specification/main/examples/v3.0/api-with-examples.json

This will create a directory called output in the current working directory. The directory will contain the generated functions and the terraform module. The terraform module is in the root directory of output/. The generated functions are in the lambdas sub directory and the code for lambda layer is in the layer sub directory.

While the config.toml file is the preferred way to manage the configuration for the project, there are times when it is useful to override the configuration file. The following arguments can be used to override the configuration file:

  --config-file  # Full path to the alternate configuration file
  --output-dir   # Directory to output the generated files
  --layers       # Comma separated list of Lambda layer ARNs to include in the function configuration
  --bundle       # Path to code to bundle into a layer. If requirements.txt present pip install will be run.
  --server-url   # Override server URL in the spec. Ignores any [server] config in picofun.toml
  --iac          # IaC tool: "terraform" (default), "tf", or "cdk"
  --cdk          # Shorthand for --iac cdk
  --tf           # Shorthand for --iac terraform
  --format       # Spec format override (e.g., openapi3, swagger2). Auto-detected if not set

Here is an example of overriding the configuration file:


uv -m picofun --config ~/picofun-example.toml example example.json

Commonly the layers argument is used to provide different layer ARNs based on the target environment, region and AWS account. Here is an example of overriding the layers argument:


uv -m picofun --layers "arn:aws:lambda:us-east-1:012345678912:layer:example:1,arn:aws:lambda:us-east-1:012345678912:layer:another-example:123" example example.yaml

The --server-url overrides the default server url. This can help with testing different environments.


uv -m picofun --server-url "https://staging-api.example.com" example example.yaml

Note: When --server-url is provided, it takes precedence over any [server] configuration in picofun.toml.

Bundle

PicoFun supports bundling code into a Lambda layer. The code to bundle is specified using the bundle entry in the configuration file or the --bundle argument on the command line. If a requirements.txt file is present in the bundle directory, pip install will be run by terraform before creating the layer.

The most common use case for using code bundles is to include pre and post processors.

Endpoint Filtering

By default, PicoFun generates Lambda functions for all endpoints in the OpenAPI spec. To generate functions for only specific endpoints, create an allowlist file and reference it in your configuration.

Add to picofun.toml:

include_endpoints = "include-endpoints.yaml"

Create include-endpoints.yaml:

# Include endpoints matching any of these paths
# Supports trailing wildcards: * (single segment), ** (multiple segments)
paths:
  - path: /users
    methods: [get, post]  # Optional: if omitted, all methods allowed
  - path: /orders/*
  - path: /products/**

# Include endpoints with these operationIds
operationIds:
  - getUser
  - createOrder

# Include endpoints with any of these tags
tags:
  - public
  - v2

Endpoints are included if they match ANY of the criteria (OR logic). If include_endpoints is not specified, all endpoints are generated.

The path patterns support two types of wildcards:

  • * matches a single path segment (e.g., /users/* matches /users/123 but not /users/123/orders)
  • ** matches multiple path segments (e.g., /users/** matches /users/123 and /users/123/orders)

When specifying methods for a path, the matching is case-insensitive. If no methods are specified for a path entry, all HTTP methods are allowed for that path.

Automatic Authentication

PicoFun automatically generates authentication code for APIs that define security schemes in their OpenAPI specifications. This feature eliminates the need to manually write preprocessor hooks for common authentication methods.

Supported Authentication Methods

PicoFun supports the following OpenAPI security scheme types:

  • HTTP Bearer Token (http with scheme: bearer) - Most common for modern APIs
  • HTTP Basic Authentication (http with scheme: basic)
  • API Key (apiKey) - Supports header, query parameter, and cookie locations
  • Mutual TLS (mutualTLS) - Client certificate authentication

Note: OAuth2 and OpenID Connect are not yet supported and will cause an error if they are the only security schemes defined.

How It Works

When you run PicoFun on an OpenAPI spec with se

proactiveops

View profile

View on GitHub
GitHub Stars9
CategoryProduct
Updated2d ago
Forks0
proactiveops/picofun

Languages

Python

Security Score

85/100

Audited on Mar 29, 2026

No findings