Skip to content

Allow Lambda in us-east-1 required for cloudfront lambda on edge #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
goruha wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Allow Lambda in us-east-1 required for cloudfront lambda on edge #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
5a5e8e9
Allow Lambda in ue-east-1 required for cloudfront lambda on edge
goruha Feb 18, 2025
4c345de
Update RestrictToSpecifiedRegions.yaml
goruha Feb 18, 2025
bc88c88
Update RestrictToSpecifiedRegions.yaml
goruha Feb 18, 2025
83788a9
Update RestrictToSpecifiedRegions.yaml
goruha Feb 18, 2025
0331471
Update RestrictToSpecifiedRegions.yaml
goruha Feb 18, 2025
207e5e2
Update RestrictToSpecifiedRegions.yaml
goruha Feb 18, 2025
09e00f7
Address comments
goruha Apr 9, 2025
5326cb6
Address comments
goruha Apr 9, 2025
ecca15e
Address comments
goruha Apr 9, 2025
ffc8411
Fix tests
goruha Apr 9, 2025
06fa1d9
Fix tests
goruha Apr 9, 2025
f20f8d9
Fix tests
goruha Apr 9, 2025
1a4b68f
Fix tests
goruha Apr 9, 2025
c9ad718
Fix tests
goruha Apr 9, 2025
58c7626
Fix tests
goruha Apr 9, 2025
ecd696e
Update RestrictToSpecifiedRegions.yaml
goruha Apr 9, 2025
c30f164
Update RestrictToSpecifiedRegions.yaml
goruha Apr 9, 2025
8319c94
Fix policy
goruha Apr 10, 2025
4c1b16d
Merge branch 'lambda-on-edge' of github.com:cloudposse/terraform-aws-…
goruha Apr 10, 2025
4bad256
Fix policy
goruha Apr 10, 2025
3340d6c
Added service quotas policies
goruha Apr 10, 2025
6ece39f
added service quotas
goruha Apr 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions catalog/region-restriction-templates/DenyRegions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@
- "iam:*"
- "importexport:*"
- "kms:*"
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
Comment on lines +31 to +33
Copy link
Contributor

@Nuru Nuru Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good: if cloudfront_lambda_edge_enabled != true (the default, right?), then the rule is not changed, and there will be no Terraform drift.

However, let's clean up the whitespace and remove the redundant condition

Suggested change
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
%{~ if cloudfront_lambda_edge_enabled && strcontains(denied_regions, "us-east-1") ~}
- "lambda:*"
%{~ endif ~}

- "mobileanalytics:*"
- "networkmanager:*"
- "organizations:*"
Expand All @@ -37,6 +40,9 @@
- "s3:GetAccountPublic*"
- "s3:ListAllMyBuckets"
- "s3:PutAccountPublic*"
%{ if servicequotas_enabled == "true" }
- "servicequotas:*"
%{ endif }
Comment on lines +43 to +45
Copy link
Contributor

@Nuru Nuru Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to handle servicequotas_enabled just like cloudfront_lambda_edge_enabled

- "shield:*"
- "sts:*"
- "support:*"
Expand All @@ -56,3 +62,20 @@
%{ endfor }
resources:
- "*"

- sid: "DenyLambdaInRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of denied regions
values:
%{ for r in split(",", denied_regions) }
%{ if cloudfront_lambda_edge_enabled != "true" || trimspace(r) != "us-east-1" }
- ${trimspace(r)}
%{ endif }
%{ endfor }
resources:
- "*"
Comment on lines +66 to +81
Copy link
Contributor

@Nuru Nuru Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This entire statement is not needed unless cloudfront_lambda_edge_enabled == true and us-east-1 is one of several denied regions, and will cause drift and be useless otherwise.

Suggested change
- sid: "DenyLambdaInRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of denied regions
values:
%{ for r in split(",", denied_regions) }
%{ if cloudfront_lambda_edge_enabled != "true" || trimspace(r) != "us-east-1" }
- ${trimspace(r)}
%{ endif }
%{ endfor }
resources:
- "*"
%{ if cloudfront_lambda_edge_enabled && strcontains(denied_regions, "us-east-1") && trimspace(denied_regions) != "us-east-1" }
- sid: "DenyLambdaInRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of denied regions
values:
%{~ for r in split(",", denied_regions) ~}
%{~ if trimspace(r) != "us-east-1" ~}
- ${trimspace(r)}
%{~ endif ~}
%{~ endfor ~}
resources:
- "*"
%{ endif }

25 changes: 25 additions & 0 deletions catalog/region-restriction-templates/RestrictToSpecifiedRegions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@
- "iam:*"
- "importexport:*"
- "kms:*"
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
Comment on lines +31 to +33
Copy link
Contributor

@Nuru Nuru Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same idea as with DenyLambdaInRegions

Suggested change
%{ if cloudfront_lambda_edge_enabled == "true" }
- "lambda:*"
%{ endif }
%{~ if cloudfront_lambda_edge_enabled && !strcontains(allowed_regions, "us-east-1") ~}
- "lambda:*"
%{~ endif ~}

- "mobileanalytics:*"
- "networkmanager:*"
- "organizations:*"
Expand All @@ -37,6 +40,9 @@
- "s3:GetAccountPublic*"
- "s3:ListAllMyBuckets"
- "s3:PutAccountPublic*"
%{ if servicequotas_enabled == "true" }
- "servicequotas:*"
%{ endif }
Comment on lines +43 to +45
Copy link
Contributor

@Nuru Nuru Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, needs to be handled like cloudfront_lambda_edge_enabled

- "shield:*"
- "sts:*"
- "support:*"
Expand All @@ -56,3 +62,22 @@
%{ endfor }
resources:
- "*"

- sid: "RestrictLambdaToSpecifiedRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringNotEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of allowed regions
values:
# Us east-1 required for cloudfront lambda on edge
%{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") }
- us-east-1
%{ endif }
%{ for r in split(",", allowed_regions) }
- ${trimspace(r)}
%{ endfor }
resources:
- "*"
Comment on lines +66 to +83
Copy link
Contributor

@Nuru Nuru Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same idea as with DenyLambdaInRegions

Suggested change
- sid: "RestrictLambdaToSpecifiedRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringNotEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of allowed regions
values:
# Us east-1 required for cloudfront lambda on edge
%{ if cloudfront_lambda_edge_enabled == "true" && !contains(split(",", allowed_regions), "us-east-1") }
- us-east-1
%{ endif }
%{ for r in split(",", allowed_regions) }
- ${trimspace(r)}
%{ endfor }
resources:
- "*"
%{ if cloudfront_lambda_edge_enabled && !strcontains(allowed_regions, "us-east-1") }
- sid: "RestrictLambdaToSpecifiedRegions"
effect: "Deny"
actions:
- "lambda:*"
condition:
- test: "StringNotEqualsIgnoreCase"
variable: "aws:RequestedRegion"
# List of allowed regions
values:
# Us east-1 required for cloudfront lambda on edge
- us-east-1
%{~ for r in split(",", allowed_regions) ~}
- ${trimspace(r)}
%{~ endfor ~}
resources:
- "*"
%{ endif }

14 changes: 8 additions & 6 deletions examples/complete/fixtures.us-east-2.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,12 @@ name = "scp"
service_control_policy_description = "Test Service Control Policy"

parameters = {
ami_creator_account = "account_creator"
ami_tag_key = "ami_tag_key"
ami_tag_value = "ami_tag_value"
allowed_regions = "eu-central-1, eu-west-1"
denied_regions = "sa-east-1"
s3_regions_lockdown = "eu-central-1, eu-west-1"
ami_creator_account = "account_creator"
ami_tag_key = "ami_tag_key"
ami_tag_value = "ami_tag_value"
allowed_regions = "eu-central-1, eu-west-1"
denied_regions = "sa-east-1"
s3_regions_lockdown = "eu-central-1, eu-west-1"
cloudfront_lambda_edge_enabled = "false"
servicequotas_enabled = "false"
}