Skip to content

Restrict API Lambda invocation to the CloudFront distribution#574

Merged
sylviamclaughlin merged 5 commits into
mainfrom
fix/cloudfront-oac
Jun 3, 2026
Merged

Restrict API Lambda invocation to the CloudFront distribution#574
sylviamclaughlin merged 5 commits into
mainfrom
fix/cloudfront-oac

Conversation

@sylviamclaughlin

Copy link
Copy Markdown
Contributor

Summary | Résumé

Locks down the API Lambda so it can only be invoked through the CloudFront distribution, replacing the previous public (principal = "*", auth NONE) access.

Changes

  • Function URL → IAM auth: aws_lambda_function_url switched from authorization_type = "NONE" to "AWS_IAM".
  • CloudFront Origin Access Control: added aws_cloudfront_origin_access_control (type lambda, sigv4, signing_behavior = always) and wired it into the origin via origin_access_control_id, so CloudFront SigV4-signs requests to the now IAM-protected function URL.
  • Invoke permissions relocated to the CloudFront module: the aws_lambda_permission resources (InvokeFunctionUrl + InvokeFunction) now live in cloudfront/lambda.tf, scoped to principal = "cloudfront.amazonaws.com" with source_arn of the distribution.

@sylviamclaughlin
sylviamclaughlin requested review from a team and patheard June 2, 2026 23:33
@sylviamclaughlin sylviamclaughlin self-assigned this Jun 2, 2026

@patheard patheard left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately for this one we won't be able to add the CloudFront OAC because GitHub POST requests to us. We'll only be able to do the same partial fix that you made to the TF lambda_response module.

@sylviamclaughlin

Copy link
Copy Markdown
Contributor Author

Unfortunately for this one we won't be able to add the CloudFront OAC because GitHub POST requests to us. We'll only be able to do the same partial fix that you made to the TF lambda_response module.

Thanks Pat! I was trying to see in the lambda function if there was a POST/PUT request and I could not find any (other than the generic cloudfront allow methods so I implemented this. I will make the necessary changes.

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown

Production: api

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 0 to add, 0 to change, 2 to destroy
Show summary
CHANGE NAME
delete aws_lambda_permission.api_invoke_function
aws_lambda_permission.api_invoke_function_url
Show plan
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_lambda_permission.api_invoke_function will be destroyed
  # (because aws_lambda_permission.api_invoke_function is not in configuration)
  - resource "aws_lambda_permission" "api_invoke_function" {
      - action        = "lambda:InvokeFunction" -> null
      - function_name = "github-secret-scanning-api" -> null
      - id            = "AllowInvokeFunction" -> null
      - principal     = "*" -> null
      - region        = "ca-central-1" -> null
      - statement_id  = "AllowInvokeFunction" -> null
    }

  # aws_lambda_permission.api_invoke_function_url will be destroyed
  # (because aws_lambda_permission.api_invoke_function_url is not in configuration)
  - resource "aws_lambda_permission" "api_invoke_function_url" {
      - action                 = "lambda:InvokeFunctionUrl" -> null
      - function_name          = "github-secret-scanning-api" -> null
      - function_url_auth_type = "NONE" -> null
      - id                     = "AllowInvokeFunctionUrl" -> null
      - principal              = "*" -> null
      - region                 = "ca-central-1" -> null
      - statement_id           = "AllowInvokeFunctionUrl" -> null
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Warning: Deprecated attribute

  on .terraform/modules/sentinel_forwarder/sentinel_forwarder/main.tf line 85, in resource "aws_lambda_permission" "sentinel_forwarder_cloudwatch_log_subscription":
  85:   principal     = "logs.${data.aws_region.current.name}.amazonaws.com"

The attribute "name" is deprecated. Refer to the provider documentation for
details.

(and one more similar warning elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_cloudwatch_log_group.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_policy.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_role.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_ssm_parameter.sentinel_forwarder_auth"]

25 tests, 20 passed, 5 warnings, 0 failures, 0 exceptions

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown

Production: cloudfront

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 2 to add, 0 to change, 0 to destroy
Show summary
CHANGE NAME
add aws_lambda_permission.api_invoke_function
aws_lambda_permission.api_invoke_function_url
Show plan
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_lambda_permission.api_invoke_function will be created
  + resource "aws_lambda_permission" "api_invoke_function" {
      + action              = "lambda:InvokeFunction"
      + function_name       = "github-secret-scanning-api"
      + id                  = (known after apply)
      + principal           = "cloudfront.amazonaws.com"
      + region              = "ca-central-1"
      + source_arn          = "arn:aws:cloudfront::283582579564:distribution/E3JW0APMFZN4DN"
      + statement_id        = "AllowInvokeFunction"
      + statement_id_prefix = (known after apply)
    }

  # aws_lambda_permission.api_invoke_function_url will be created
  + resource "aws_lambda_permission" "api_invoke_function_url" {
      + action                 = "lambda:InvokeFunctionUrl"
      + function_name          = "github-secret-scanning-api"
      + function_url_auth_type = "NONE"
      + id                     = (known after apply)
      + principal              = "cloudfront.amazonaws.com"
      + region                 = "ca-central-1"
      + source_arn             = "arn:aws:cloudfront::283582579564:distribution/E3JW0APMFZN4DN"
      + statement_id           = "AllowInvokeFunctionUrl"
      + statement_id_prefix    = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results
21 tests, 21 passed, 0 warnings, 0 failures, 0 exceptions

@sylviamclaughlin
sylviamclaughlin merged commit cacecab into main Jun 3, 2026
12 checks passed
@sylviamclaughlin
sylviamclaughlin deleted the fix/cloudfront-oac branch June 3, 2026 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants