Skip to content

Allow Lambda in us-east-1 required for cloudfront lambda on edge #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Allow Lambda in us-east-1 required for cloudfront lambda on edge #65

wants to merge 22 commits into from

Conversation

goruha
Copy link
Member

@goruha goruha commented Feb 18, 2025
edited by Nuru
Loading

what

  • Allow Lambda in us-east-1
  • Allow to enable service quotas

why

  • Required for cloudfront lambda on edge

Migration v0 to v1

If RestrictToSpecifiedRegions and DenyRegions service control policies are in use

  1. Add the cloudfront_lambda_edge_enabled parameter set to false to preserve back-compatible behavior
  2. Add servicequotas_enabled parameter set to false to preserve back-compatible behavior
  3. Use additional RestrictLambdaToSpecifiedRegions or DenyLambdaInRegions policies to preserve back-compatible behavior
  4. To enable cloudfront lambda on edge set cloudfront_lambda_edge_enabled to true

references

@goruha goruha requested review from a team as code owners February 18, 2025 17:35
@goruha goruha requested review from Gowiem and jamengual February 18, 2025 17:35
@mergify mergify bot added the triage Needs triage label Feb 18, 2025
@goruha
Copy link
Member Author

goruha commented Feb 19, 2025

/terratest

@Nuru Nuru added minor New features that do not break anything feature New functionality and removed triage Needs triage labels Feb 19, 2025
Nuru
Nuru requested changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

@Nuru Nuru left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not the best approach.

The issues

To begin with, someone automatically updating to the latest version of this SCP would find that all of a sudden, Lambdas are allowed in all regions. That is not good: security weakened by an automatic upgrade.

Second, just because you need Lambdas in us-east-1 for CloudFront doesn't mean everyone wants to allow Lambdas in us-east-1. It needs to be a configurable option.

Third, whatever changes you make to RestrictToSpecifiedRegions you need to make similar changes to DenyRegions.

My recommendation

I think, instead, you should add a separate template option: cloudfront_enabled. When true:

  • acm:*
  • kms:*
  • lambda:*
  • waf:*

are allowed in us-east-1 along with the other allowed_regions. This needs to default to false so as not to surprise anyone with relaxed restrictions. This also needs to be implemented as a separate condition in the existing SCP, not as a separate SCP.

For bonus points, omit the second condition (the exception for CloudFront) when cloudfront_enabled is false or when allowed_regions includes us-east-1.

@goruha goruha self-assigned this Feb 25, 2025
@goruha
Copy link
Member Author

goruha commented Apr 9, 2025

/terratest

@goruha
Copy link
Member Author

goruha commented Apr 9, 2025

/terratest

@goruha
Copy link
Member Author

goruha commented Apr 9, 2025

/terratest

@goruha
Copy link
Member Author

goruha commented Apr 9, 2025

/terratest

@goruha goruha added major Breaking changes (or first stable release) and removed minor New features that do not break anything labels Apr 9, 2025
goruha added 7 commits April 9, 2025 17:32
@goruha
Fix tests
c9ad718
@goruha
Fix tests
58c7626
@goruha
Update RestrictToSpecifiedRegions.yaml
ecd696e
@goruha
Update RestrictToSpecifiedRegions.yaml
c30f164
@goruha
Fix policy
8319c94
@goruha
Merge branch 'lambda-on-edge' of github.com:cloudposse/terraform-aws-…
4c1b16d 
…service-control-policies into lambda-on-edge

* 'lambda-on-edge' of github.com:cloudposse/terraform-aws-service-control-policies:
  Update RestrictToSpecifiedRegions.yaml
  Update RestrictToSpecifiedRegions.yaml
@goruha
Fix policy
4bad256
@goruha goruha requested a review from Nuru April 10, 2025 18:57
@goruha
Copy link
Member Author

goruha commented Apr 10, 2025

/terratest

@goruha
Copy link
Member Author

goruha commented Apr 10, 2025

/terratest

1 similar comment
@goruha
Copy link
Member Author

goruha commented Apr 11, 2025

/terratest

@goruha
Copy link
Member Author

goruha commented Apr 11, 2025

/terratest

Nuru
Nuru requested changes Apr 22, 2025
View reviewed changes
Copy link
Contributor

@Nuru Nuru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only need to make changes where the old rule would prevent deployment to us-east-1. I suggested specific changes for Cloudfront, but you should make the same changes for servicequotas.

catalog/region-restriction-templates/DenyRegions.yaml
Comment on lines +66 to +81
- sid: "DenyLambdaInRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of denied regions
values:
%{ for r in split(",", denied_regions) }
%{ if cloudfront_lambda_edge_enabled != "true" || trimspace(r) != "us-east-1" }
- ${trimspace(r)}
%{ endif }
%{ endfor }
resources:
- "*"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entire statement is not needed unless cloudfront_lambda_edge_enabled == true and us-east-1 is one of several denied regions, and will cause drift and be useless otherwise.

Suggested change
- sid: "DenyLambdaInRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of denied regions
values:
%{ for r in split(",", denied_regions) }
%{ if cloudfront_lambda_edge_enabled != "true" || trimspace(r) != "us-east-1" }
- ${trimspace(r)}
%{ endif }
%{ endfor }
resources:
- "*"
%{ if cloudfront_lambda_edge_enabled && strcontains(denied_regions, "us-east-1") && trimspace(denied_regions) != "us-east-1" }
- sid: "DenyLambdaInRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of denied regions
values:
%{~ for r in split(",", denied_regions) ~}
%{~ if trimspace(r) != "us-east-1" ~}
- ${trimspace(r)}
%{~ endif ~}
%{~ endfor ~}
resources:
- "*"
%{ endif }

catalog/region-restriction-templates/DenyRegions.yaml
Comment on lines +31 to +33
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good: if cloudfront_lambda_edge_enabled != true (the default, right?), then the rule is not changed, and there will be no Terraform drift.

However, let's clean up the whitespace and remove the redundant condition

Suggested change
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
%{~ if cloudfront_lambda_edge_enabled && strcontains(denied_regions, "us-east-1") ~}
- "lambda:*"
%{~ endif ~}

catalog/region-restriction-templates/DenyRegions.yaml
Comment on lines +43 to +45
%{ if servicequotas_enabled == "true" }
- "servicequotas:*"
%{ endif }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to handle servicequotas_enabled just like cloudfront_lambda_edge_enabled

catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
Comment on lines +43 to +45
%{ if servicequotas_enabled == "true" }
- "servicequotas:*"
%{ endif }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, needs to be handled like cloudfront_lambda_edge_enabled

catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
Comment on lines +66 to +83
- sid: "RestrictLambdaToSpecifiedRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringNotEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of allowed regions
values:
# Us east-1 required for cloudfront lambda on edge
%{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") }
- us-east-1
%{ endif }
%{ for r in split(",", allowed_regions) }
- ${trimspace(r)}
%{ endfor }
resources:
- "*"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same idea as with DenyLambdaInRegions

Suggested change
- sid: "RestrictLambdaToSpecifiedRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringNotEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of allowed regions
values:
# Us east-1 required for cloudfront lambda on edge
%{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") }
- us-east-1
%{ endif }
%{ for r in split(",", allowed_regions) }
- ${trimspace(r)}
%{ endfor }
resources:
- "*"
%{ if cloudfront_lambda_edge_enabled && !strcontains(allowed_regions, "us-east-1") }
- sid: "RestrictLambdaToSpecifiedRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringNotEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of allowed regions
values:
# Us east-1 required for cloudfront lambda on edge
- us-east-1
%{~ for r in split(",", allowed_regions) ~}
- ${trimspace(r)}
%{~ endfor ~}
resources:
- "*"
%{ endif }

catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
Comment on lines +31 to +33
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same idea as with DenyLambdaInRegions

Suggested change
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
%{~ if cloudfront_lambda_edge_enabled && !strcontains(allowed_regions, "us-east-1") ~}
- "lambda:*"
%{~ endif ~}

@Nuru Nuru changed the title Allow Lambda in ue-east-1 required for cloudfront lambda on edge Allow Lambda in us-east-1 required for cloudfront lambda on edge Apr 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nuru Nuru Nuru requested changes

@Gowiem Gowiem Awaiting requested review from Gowiem Gowiem is a code owner automatically assigned from cloudposse/contributors

@jamengual jamengual Awaiting requested review from jamengual jamengual is a code owner automatically assigned from cloudposse/contributors

Requested changes must be addressed to merge this pull request.

Assignees

@goruha goruha

Labels
feature New functionality major Breaking changes (or first stable release)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@goruha @Nuru