Merge pull request #35 from datafold/chiel-feature-github-reverse-proxy

feat: Add GitHub reverse proxy support

Author: cfernhout

main.tf

@@ -300,3 +300,21 @@ resource "random_password" "redis_password" {
   length           = 12
   special          = false
 }
+
+module "github_reverse_proxy" {
+  count = var.deploy_github_reverse_proxy ? 1 : 0
+
+  source = "./modules/github_reverse_proxy"
+
+  deployment_name          = var.deployment_name
+  environment              = var.environment
+  region                   = var.provider_region
+  vpc_cidr                 = local.vpc_cidr
+  vpc_id                   = local.vpc_id
+  vpc_private_subnets      = local.vpc_private_subnets
+  github_cidrs             = var.github_cidrs
+  datadog_api_key          = var.datadog_api_key
+  use_private_egress       = var.lb_internal
+
+  private_system_endpoint  = module.load_balancer.load_balancer_dns
+}

modules/github_reverse_proxy/README.md

@@ -0,0 +1,11 @@
+# AWS Lambda in VPC with API Gateway and Least Privilege Access
+
+To facilitate an internal load balancer, GitHub webhooks still need to have a way to reach the application. This is achieved by creating a reverse proxy for GitHub webhooks. This Terraform module deploys an AWS Lambda function inside a VPC, integrates it with API Gateway, and ensures least privilege access. The Lambda function receives webhooks from GitHub, processes them, and forwards them to a private system inside a VPC.
+
+## Features
+- Deploys an AWS Lambda function inside a VPC.
+- Integrates the Lambda function with API Gateway for receiving webhooks.
+- Limits access to the API Gateway only to request from GitHub CIDR ranges.
+- Configures the necessary IAM roles, including the `AWSLambdaVPCAccessExecutionRole`.
+- Implements a custom deny policy to prevent the Lambda function from making EC2 network-related API calls.
+- DataDog Lambda extension for logging and monitoring.

modules/github_reverse_proxy/iam.tf

@@ -0,0 +1,101 @@
+resource "aws_iam_role" "lambda_role" {
+  name = "${var.deployment_name}-lambda-github-webhook-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "sts:AssumeRole",
+      Effect = "Allow",
+      Principal = {
+        Service = "lambda.amazonaws.com"
+      }
+    }]
+  })
+}
+
+resource "aws_iam_policy" "lambda_secrets_policy" {
+  name   = "lambda-secrets-policy"
+  policy = jsonencode({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Action: "secretsmanager:GetSecretValue",
+        Resource: aws_secretsmanager_secret.datadog_api_key.arn
+      }
+    ]
+  })
+}
+
+# Attach the policy to the Lambda execution role
+resource "aws_iam_role_policy_attachment" "lambda_secrets_policy_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_secrets_policy.arn
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_vpc_access_policy" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_logging_policy" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_policy" "lambda_describe_vpc_policy" {
+  name   = "${var.deployment_name}-lambda-describe-vpc-policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = [
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeVpcs"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_describe_vpc_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_describe_vpc_policy.arn
+}
+
+# https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#configuration-vpc-best-practice
+resource "aws_iam_policy" "lambda_deny_ec2_policy" {
+  name   = "${var.deployment_name}-lambda-deny-ec2-network-interface-policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Deny",
+        Action   = [
+          "ec2:CreateNetworkInterface",
+          "ec2:DeleteNetworkInterface",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DetachNetworkInterface",
+          "ec2:AssignPrivateIpAddresses",
+          "ec2:UnassignPrivateIpAddresses"
+        ],
+        Resource = "*",
+        Condition = {
+          "ArnEquals": {
+            "lambda:SourceFunctionArn": [
+              "arn:aws:lambda:${data.aws_caller_identity.current.account_id}:function:${aws_lambda_alias.prod_alias.function_name}"
+            ]
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_deny_ec2_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_deny_ec2_policy.arn
+}

modules/github_reverse_proxy/lambda_function.py

@@ -0,0 +1,55 @@
+import json
+import logging
+import os
+import urllib3
+
+
+if os.environ.get('DATADOG_MONITORING_ENABLED', None):
+    from datadog_lambda.logger import initialize_logging
+    initialize_logging(__name__)
+    logger = logging.getLogger(__name__)
+else:
+    logger = logging.getLogger()
+    logger.setLevel(logging.INFO)
+
+
+def forward_to_private_system(data, private_endpoint, headers):
+    """
+    Forward the data to the private system endpoint.
+    """
+    http = urllib3.PoolManager(cert_reqs='CERT_NONE')  # Disable SSL certificate verification
+    response = http.request(
+        'POST', private_endpoint, body=data, headers=headers, assert_same_host=False
+    )
+    return response.status, response.data
+
+def lambda_handler(event, context):
+    private_system_endpoint = os.getenv('PRIVATE_SYSTEM_ENDPOINT')
+    logger.info(f"Private system endpoint: {private_system_endpoint}")
+
+    body = event.get('body', '')
+    if not body:
+        logger.error("No body found in the event")
+        return {
+            'statusCode': 400,
+            'body': json.dumps('Bad Request: No payload found')
+        }
+    incoming_headers = event.get('headers', {})
+
+    logger.info("Starting to forward the payload")
+    status, response = forward_to_private_system(
+        body, private_system_endpoint, incoming_headers
+    )
+    logger.info(f"Forwarding status: {status}")
+
+    if status == 200:
+        return {
+            'statusCode': 200,
+            'body': json.dumps('Webhook processed and forwarded')
+        }
+    else:
+        logger.error(f"Error forwarding to private system ({status}): {response}")
+        return {
+            'statusCode': 500,
+            'body': json.dumps('Internal Server Error: Failed to forward webhook')
+        }

modules/github_reverse_proxy/lambda_function.zip

@@ -0,0 +1,205 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+data "archive_file" "zip_lambda_function" {
+  type        = "zip"
+  source_file = "${path.module}/lambda_function.py"
+  output_path = "${path.module}/lambda_function.zip"
+}
+
+resource "aws_secretsmanager_secret" "datadog_api_key" {
+  name        = "datadog_api_key"
+  description = "Datadog API Key used for monitoring Lambda"
+}
+
+resource "aws_secretsmanager_secret_version" "datadog_api_key_version" {
+  secret_id     = aws_secretsmanager_secret.datadog_api_key.id
+  secret_string = var.datadog_api_key  # This should be the Datadog API key (input as a variable)
+}
+
+locals {
+  function_name = "${var.deployment_name}-github-webhook-handler"
+  role          = aws_iam_role.lambda_role.arn
+  handler       = "lambda_function.lambda_handler"
+  runtime       = "python3.12"
+  memory_size   = 256
+  timeout       = 30
+  publish       = true
+
+  filename         = data.archive_file.zip_lambda_function.output_path
+  source_code_hash = data.archive_file.zip_lambda_function.output_base64sha256
+
+  private_system_endpoint = "https://${var.private_system_endpoint}/integrations/github/v1/app_hook"
+
+  subnet_ids         = var.vpc_private_subnets
+  security_group_ids = length(var.security_group_ids) > 0 ? var.security_group_ids : [aws_security_group.lambda_sg.id]
+}
+
+module "lambda_datadog" {
+  count = var.monitor_lambda_datadog ? 1 : 0
+
+  source  = "DataDog/lambda-datadog/aws"
+  version = "1.4.0"
+
+  function_name = local.function_name
+  role          = local.role
+  handler       = local.handler
+  runtime       = local.runtime
+  memory_size   = local.memory_size
+  timeout       = local.timeout
+  publish       = local.publish
+
+  filename         = local.filename
+  source_code_hash = local.source_code_hash
+
+  environment_variables = {
+    "DD_API_KEY_SECRET_ARN" : aws_secretsmanager_secret.datadog_api_key.arn
+    "DD_ENV" : var.environment
+    "DD_SERVICE" : "github-webhook-service"
+    "DD_SITE": "datadoghq.com"
+    "DD_VERSION" : "1.0.0"
+    "DD_EXTENSION_VERSION": "next"
+    "DD_SERVERLESS_LOGS_ENABLED": "true"
+    "DD_LOG_LEVEL": "INFO"
+    "DD_TAGS": "deployment:${var.deployment_name}"
+    "PRIVATE_SYSTEM_ENDPOINT" : local.private_system_endpoint
+    "DATADOG_MONITORING_ENABLED": "true"
+  }
+
+  vpc_config_subnet_ids         = local.subnet_ids
+  vpc_config_security_group_ids = local.security_group_ids
+
+  datadog_extension_layer_version = 63
+  datadog_python_layer_version = 98
+
+  # Depend on the zip operation
+  depends_on = [data.archive_file.zip_lambda_function]
+}
+
+resource "aws_lambda_function" "github_webhook_handler" {
+  count = var.monitor_lambda_datadog ? 0 : 1
+
+  function_name = local.function_name
+  role          = local.role
+  handler       = local.handler
+  runtime       = local.runtime
+  memory_size   = local.memory_size
+  timeout       = local.timeout
+  publish       = local.publish
+
+  filename         = local.filename
+  source_code_hash = local.source_code_hash
+
+  environment {
+    variables = {
+      PRIVATE_SYSTEM_ENDPOINT = local.private_system_endpoint
+    }
+  }
+
+  vpc_config {
+    subnet_ids         = local.subnet_ids
+    security_group_ids = local.security_group_ids
+  }
+
+  # Depend on the zip operation
+  depends_on = [data.archive_file.zip_lambda_function]
+}
+
+locals {
+  function_version = coalesce(concat(module.lambda_datadog[*].version, aws_lambda_function.github_webhook_handler[*].version)...)
+}
+
+resource "aws_lambda_alias" "prod_alias" {
+  name             = "prod"
+  function_name    = local.function_name
+  function_version = local.function_version
+}
+
+resource "aws_lambda_provisioned_concurrency_config" "example" {
+  function_name                     = aws_lambda_alias.prod_alias.function_name
+  provisioned_concurrent_executions = 1
+  qualifier                         = aws_lambda_alias.prod_alias.name
+}
+
+resource "aws_lambda_function_event_invoke_config" "concurrency_limit" {
+  function_name          = aws_lambda_alias.prod_alias.function_name
+  qualifier              = aws_lambda_alias.prod_alias.name
+  maximum_retry_attempts = 2
+}
+
+resource "aws_lambda_permission" "lambda_permission" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_alias.prod_alias.function_name
+  qualifier     = aws_lambda_alias.prod_alias.name
+  principal     = "apigateway.amazonaws.com"
+
+  # The /* part allows invocation from any stage, method and resource path
+  # within API Gateway.
+  source_arn = "${aws_api_gateway_rest_api.webhook_api.execution_arn}/*"
+}
+
+# API Gateway to act as a reverse proxy
+resource "aws_api_gateway_rest_api" "webhook_api" {
+  name = "GitHub Webhook Reverse Proxy"
+}
+
+# Create resource for webhooks
+resource "aws_api_gateway_resource" "webhook_resource" {
+  rest_api_id = aws_api_gateway_rest_api.webhook_api.id
+  parent_id   = aws_api_gateway_rest_api.webhook_api.root_resource_id
+  path_part   = "webhook"
+}
+
+# API Gateway Method
+resource "aws_api_gateway_method" "post_webhook" {
+  rest_api_id   = aws_api_gateway_rest_api.webhook_api.id
+  resource_id   = aws_api_gateway_resource.webhook_resource.id
+  http_method   = "POST"
+  authorization = "NONE"
+}
+
+# Lambda integration for API Gateway
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id             = aws_api_gateway_rest_api.webhook_api.id
+  resource_id             = aws_api_gateway_resource.webhook_resource.id
+  http_method             = aws_api_gateway_method.post_webhook.http_method
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = aws_lambda_alias.prod_alias.invoke_arn
+}
+
+# Deployment of API Gateway
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = aws_api_gateway_rest_api.webhook_api.id
+  stage_name  = "prod"
+
+  depends_on = [aws_api_gateway_integration.lambda_integration]
+}
+
+resource "aws_api_gateway_rest_api_policy" "github_ip_restriction" {
+  rest_api_id = aws_api_gateway_rest_api.webhook_api.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+            {
+        Effect: "Allow",
+        Principal: "*",
+        Action: "execute-api:Invoke",
+        Resource: "arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.webhook_api.id}/*/POST/*",
+      },
+      {
+        Effect: "Deny",
+        Principal: "*",
+        Action: "execute-api:Invoke",
+        Resource: "arn:aws:execute-api:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.webhook_api.id}/*/POST/*",
+        Condition: {
+          "NotIpAddress": {
+            "aws:SourceIp": var.github_cidrs
+          }
+        }
+      }
+    ]
+  })
+}