Restrict API Lambda invocation to the CloudFront distribution#574
Conversation
patheard
left a comment
There was a problem hiding this comment.
Unfortunately for this one we won't be able to add the CloudFront OAC because GitHub POST requests to us. We'll only be able to do the same partial fix that you made to the TF lambda_response module.
Thanks Pat! I was trying to see in the lambda function if there was a POST/PUT request and I could not find any (other than the generic cloudfront allow methods so I implemented this. I will make the necessary changes. |
Production: api✅ Terraform Init: Plan: 0 to add, 0 to change, 2 to destroyShow summary
Show planResource actions are indicated with the following symbols:
- destroy
Terraform will perform the following actions:
# aws_lambda_permission.api_invoke_function will be destroyed
# (because aws_lambda_permission.api_invoke_function is not in configuration)
- resource "aws_lambda_permission" "api_invoke_function" {
- action = "lambda:InvokeFunction" -> null
- function_name = "github-secret-scanning-api" -> null
- id = "AllowInvokeFunction" -> null
- principal = "*" -> null
- region = "ca-central-1" -> null
- statement_id = "AllowInvokeFunction" -> null
}
# aws_lambda_permission.api_invoke_function_url will be destroyed
# (because aws_lambda_permission.api_invoke_function_url is not in configuration)
- resource "aws_lambda_permission" "api_invoke_function_url" {
- action = "lambda:InvokeFunctionUrl" -> null
- function_name = "github-secret-scanning-api" -> null
- function_url_auth_type = "NONE" -> null
- id = "AllowInvokeFunctionUrl" -> null
- principal = "*" -> null
- region = "ca-central-1" -> null
- statement_id = "AllowInvokeFunctionUrl" -> null
}
Plan: 0 to add, 0 to change, 2 to destroy.
Warning: Deprecated attribute
on .terraform/modules/sentinel_forwarder/sentinel_forwarder/main.tf line 85, in resource "aws_lambda_permission" "sentinel_forwarder_cloudwatch_log_subscription":
85: principal = "logs.${data.aws_region.current.name}.amazonaws.com"
The attribute "name" is deprecated. Refer to the provider documentation for
details.
(and one more similar warning elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_cloudwatch_log_group.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_policy.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_iam_role.sentinel_forwarder_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder"]
WARN - plan.json - main - Missing Common Tags: ["module.sentinel_forwarder.aws_ssm_parameter.sentinel_forwarder_auth"]
25 tests, 20 passed, 5 warnings, 0 failures, 0 exceptions
|
Production: cloudfront✅ Terraform Init: Plan: 2 to add, 0 to change, 0 to destroyShow summary
Show planResource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_lambda_permission.api_invoke_function will be created
+ resource "aws_lambda_permission" "api_invoke_function" {
+ action = "lambda:InvokeFunction"
+ function_name = "github-secret-scanning-api"
+ id = (known after apply)
+ principal = "cloudfront.amazonaws.com"
+ region = "ca-central-1"
+ source_arn = "arn:aws:cloudfront::283582579564:distribution/E3JW0APMFZN4DN"
+ statement_id = "AllowInvokeFunction"
+ statement_id_prefix = (known after apply)
}
# aws_lambda_permission.api_invoke_function_url will be created
+ resource "aws_lambda_permission" "api_invoke_function_url" {
+ action = "lambda:InvokeFunctionUrl"
+ function_name = "github-secret-scanning-api"
+ function_url_auth_type = "NONE"
+ id = (known after apply)
+ principal = "cloudfront.amazonaws.com"
+ region = "ca-central-1"
+ source_arn = "arn:aws:cloudfront::283582579564:distribution/E3JW0APMFZN4DN"
+ statement_id = "AllowInvokeFunctionUrl"
+ statement_id_prefix = (known after apply)
}
Plan: 2 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results21 tests, 21 passed, 0 warnings, 0 failures, 0 exceptions
|
Summary | Résumé
Locks down the API Lambda so it can only be invoked through the CloudFront distribution, replacing the previous public (principal = "*", auth NONE) access.
Changes