Skip to content

Commit

Permalink
[#3716] Add option to put convox lambda's in vpc if rack is private f…
Browse files Browse the repository at this point in the history 
…or security requirements

### What is the feature/fix?

Add option to put convox lambda's in vpc if rack is private for security requirements

issue: https://app.asana.com/0/1203637156732418/1206477197857608/f

### Does it has a breaking change?

no

### How to use/test it?

If rack is private, then the set the rack param to Yes: `PlaceLambdaInVpc`

### Checklist
- [ ] New coverage tests
- [ ] Unit tests passing
- [ ] E2E tests passing
- [ ] E2E downgrade/update test passing
- [ ] Documentation updated
- [ ] No warnings or errors on Deepsource/Codecov
  • Loading branch information
@nightfury1204
nightfury1204 committed Feb 5, 2024
1 parent bd23851 commit 711cd0f
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 4 deletions.
19 changes: 18 additions & 1 deletion provider/aws/formation/app.json.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@
"InternalDomains": { "Fn::Equals": [ { "Ref": "InternalDomains" }, "Yes" ] },
"Isolate": { "Fn::And": [ { "Condition": "Private" }, { "Fn::Equals": [ { "Ref": "Isolate" }, "Yes" ] } ] },
"IsolateServices": { "Fn::Or": [ { "Condition": "FargateServicesEither" }, { "Condition": "Isolate" } ] },
"PlaceLambdaInVpcCond": { "Fn::Equals": [ { "Ref": "PlaceLambdaInVpc" }, "Yes" ] },
"PrivateAndPlaceLambdaInVpc": { "Fn::And": [ { "Condition": "Private" }, { "Condition": "PlaceLambdaInVpcCond" } ] },
"Private": { "Fn::Equals": [ { "Ref": "Private" }, "Yes" ] },
"RackUrl": { "Fn::Equals": [ { "Ref": "RackUrl" }, "Yes" ] }
},
Expand Down Expand Up @@ -119,6 +121,12 @@
"Description": "Number of days to keep logs (blank for unlimited)",
"Type": "String"
},
"PlaceLambdaInVpc": {
"Type": "String",
"Description": "Place convox related lambdas in vpc if rack is private",
"Default": "No",
"AllowedValues": [ "Yes", "No" ]
},
"Private": {
"Type": "String",
"Default": "No",
Expand Down Expand Up @@ -471,7 +479,16 @@
" });",
"};"
] ] }
}
},
"VpcConfig": { "Fn::If": [ "PrivateAndPlaceLambdaInVpc",
{
"SecurityGroupIds": [
{ "Fn::ImportValue": { "Fn::Sub": "${Rack}:InstancesSecurityGroup" }}
],
"SubnetIds": [{ "Fn::ImportValue": { "Fn::Sub": "${Rack}:SubnetPrivate0" } }, { "Fn::ImportValue": { "Fn::Sub": "${Rack}:SubnetPrivate1" } }]
},
{ "Ref": "AWS::NoValue" }
]}
}
},
"TimerRole": {
Expand Down
41 changes: 38 additions & 3 deletions provider/aws/formation/rack.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@
"Internal": { "Fn::Equals": [ { "Ref": "Internal" }, "Yes" ] },
"InternetGateway": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "InternetGateway" }, "" ] } ] },
"NotExistingVpcAndBlankInternetGateway": { "Fn::Not": [ { "Condition": "ExistingVpcAndBlankInternetGateway" } ] },
"PlaceLambdaInVpcCond": { "Fn::Equals": [ { "Ref": "PlaceLambdaInVpc" }, "Yes" ] },
"PrivateAndPlaceLambdaInVpc": { "Fn::And": [ { "Condition": "PrivateInstances" }, { "Condition": "PlaceLambdaInVpcCond" } ] },
"Private": { "Fn::Or": [ { "Condition": "PrivateBuild" }, { "Condition": "PrivateInstances" } ] },
"PrivateAndThirdAvailabilityZoneAndHighAvailability": {
"Fn::And": [ { "Condition": "Private" }, { "Condition": "ThirdAvailabilityZone" }, { "Condition": "HighAvailability" } ]
Expand Down Expand Up @@ -870,6 +872,12 @@
"MaxLength": "50",
"NoEcho": true
},
"PlaceLambdaInVpc": {
"Type": "String",
"Description": "Place lambda in vpc",
"Default": "No",
"AllowedValues": [ "Yes", "No" ]
},
"Private": {
"Type": "String",
"Description": "Create non publicly routable resources",
Expand Down Expand Up @@ -1246,7 +1254,16 @@
"MemorySize": "128",
"Role": { "Fn::GetAtt": [ "CustomTopicRole", "Arn" ] },
"Runtime": "nodejs16.x",
"Timeout": "300"
"Timeout": "300",
"VpcConfig": { "Fn::If": [ "PrivateAndPlaceLambdaInVpc",
{
"SecurityGroupIds": [
{ "Fn::If": [ "BlankInstanceSecurityGroup", { "Ref": "InstancesSecurity" }, { "Ref": "InstanceSecurityGroup" }]}
],
"SubnetIds": [{ "Ref": "SubnetPrivate0" }, { "Ref": "SubnetPrivate1" }]
},
{ "Ref": "AWS::NoValue" }]
}
}
},
"Vpc": {
Expand Down Expand Up @@ -2296,7 +2313,16 @@
"MemorySize": "128",
"Role": { "Fn::GetAtt": [ "ApiRole", "Arn" ] },
"Runtime": "provided.al2",
"Timeout": "60"
"Timeout": "60",
"VpcConfig": { "Fn::If": [ "PrivateAndPlaceLambdaInVpc",
{
"SecurityGroupIds": [
{ "Fn::If": [ "BlankInstanceSecurityGroup", { "Ref": "InstancesSecurity" }, { "Ref": "InstanceSecurityGroup" }]}
],
"SubnetIds": [{ "Ref": "SubnetPrivate0" }, { "Ref": "SubnetPrivate1" }]
},
{ "Ref": "AWS::NoValue" }]
}
}
},
"InstancesAutoscalerPermission": {
Expand Down Expand Up @@ -2418,7 +2444,16 @@
"MemorySize": "128",
"Role": { "Fn::GetAtt": [ "InstancesLifecycleHandlerRole", "Arn" ] },
"Runtime": "provided.al2",
"Timeout": "300"
"Timeout": "300",
"VpcConfig": { "Fn::If": [ "PrivateAndPlaceLambdaInVpc",
{
"SecurityGroupIds": [
{ "Fn::If": [ "BlankInstanceSecurityGroup", { "Ref": "InstancesSecurity" }, { "Ref": "InstanceSecurityGroup" }]}
],
"SubnetIds": [{ "Ref": "SubnetPrivate0" }, { "Ref": "SubnetPrivate1" }]
},
{ "Ref": "AWS::NoValue" }]
}
}
},
"InstancesLifecycleHandlerPermission": {
Expand Down
6 changes: 6 additions & 0 deletions provider/aws/releases.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -369,9 +369,15 @@ func (p *Provider) ReleasePromote(app, id string, opts structs.ReleasePromoteOpt
return err
}

lambdaInVpc, err := p.stackParameter(p.Rack, "PlaceLambdaInVpc")
if err != nil {
return err
}

updates := map[string]string{
"LogBucket": p.LogBucket,
"LogDriver": p.LogDriver,
"PlaceLambdaInVpc": lambdaInVpc,
"Private": private,
"SyslogDestination": p.SyslogDestination,
"SyslogFormat": p.SyslogFormat,
Expand Down

0 comments on commit 711cd0f

Please sign in to comment.