feat: Add GitHub reverse proxy support

Author: cfernhout

modules/github_reverse_proxy/README.md

@@ -0,0 +1,35 @@
+# AWS Lambda in VPC with API Gateway and Least Privilege Access
+
+To facilitate an internal load balancer, GitHub webhooks still need to have a way to reach the application. This is achieved by creating a reverse proxy for GitHub webhooks. This Terraform module deploys an AWS Lambda function inside a VPC, integrates it with API Gateway, and ensures least privilege access. The Lambda function receives webhooks from GitHub, processes them, and forwards them to a private system inside a VPC.
+
+The module includes:
+- A Lambda function attached to a VPC.
+- Integration with API Gateway to expose the Lambda function as an HTTP endpoint.
+- A deny policy to follow the principle of least privilege, preventing the Lambda function code from making certain Amazon EC2 API calls.
+- Required IAM roles and permissions for VPC access and logging.
+- A Security Group to allow access to the private endpoint in the VPC.
+
+## Features
+- Deploys an AWS Lambda function inside a VPC.
+- Integrates the Lambda function with API Gateway for receiving webhooks.
+- Configures the necessary IAM roles, including the `AWSLambdaVPCAccessExecutionRole`.
+- Implements a custom deny policy to prevent the Lambda function from making EC2 network-related API calls.
+- CloudWatch logging for monitoring and troubleshooting.
+
+## Usage
+
+```hcl
+module "lambda_vpc_webhook" {
+  source = "./path_to_your_module" # Replace with your module path
+
+  # Variables
+  vpc_id                   = "vpc-12345678"
+  vpc_private_subnets      = ["subnet-abcdefgh", "subnet-ijklmnop"]
+  github_secret            = "your-github-webhook-secret"
+  private_system_endpoint  = "the ip of the internal load balancer"
+}
+
+output "api_gateway_url" {
+  value = module.lambda_vpc_webhook.api_gateway_url
+}
+```

modules/github_reverse_proxy/iam.tf

@@ -0,0 +1,83 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_iam_role" "lambda_role" {
+  name = "${var.deployment_name}-lambda-github-webhook-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "sts:AssumeRole",
+      Effect = "Allow",
+      Principal = {
+        Service = "lambda.amazonaws.com"
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_vpc_access_policy" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_logging_policy" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_policy" "lambda_describe_vpc_policy" {
+  name   = "${var.deployment_name}-lambda-describe-vpc-policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow",
+        Action   = [
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeVpcs"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_describe_vpc_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_describe_vpc_policy.arn
+}
+
+# https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#configuration-vpc-best-practice
+resource "aws_iam_policy" "lambda_deny_ec2_policy" {
+  name   = "${var.deployment_name}-lambda-deny-ec2-network-interface-policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Deny",
+        Action   = [
+          "ec2:CreateNetworkInterface",
+          "ec2:DeleteNetworkInterface",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DetachNetworkInterface",
+          "ec2:AssignPrivateIpAddresses",
+          "ec2:UnassignPrivateIpAddresses"
+        ],
+        Resource = "*",
+        Condition = {
+          "ArnEquals": {
+            "lambda:SourceFunctionArn": [
+              "arn:aws:lambda:${data.aws_caller_identity.current.account_id}:function:${aws_lambda_function.github_webhook_handler.function_name}"
+            ]
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_deny_ec2_attachment" {
+  role       = aws_iam_role.lambda_role.name
+  policy_arn = aws_iam_policy.lambda_deny_ec2_policy.arn
+}

modules/github_reverse_proxy/lambda_function.py

@@ -0,0 +1,72 @@
+import json
+import hashlib
+import hmac
+import os
+import urllib3
+
+def verify_github_signature(headers, body, secret):
+    """
+    Verifies the GitHub webhook signature using the provided secret.
+    """
+    signature = headers.get('X-Hub-Signature-256')
+
+    if not signature:
+        print("No signature found in headers.")
+        return False
+
+    # Create the HMAC digest
+    hmac_gen = hmac.new(key=secret.encode(), msg=body, digestmod=hashlib.sha256)
+    expected_signature = f'sha256={hmac_gen.hexdigest()}'
+
+    return hmac.compare_digest(signature, expected_signature)
+
+def forward_to_private_system(data, private_endpoint):
+    """
+    Forward the data to the private system endpoint.
+    """
+    http = urllib3.PoolManager()
+    headers = {'Content-Type': 'application/json'}
+
+    response = http.request('POST', private_endpoint, body=json.dumps(data), headers=headers)
+
+    return response.status, response.data
+
+def lambda_handler(event, context):
+    github_secret = os.getenv('GITHUB_SECRET')
+    private_system_endpoint = os.getenv('PRIVATE_SYSTEM_ENDPOINT')
+
+    headers = event.get('headers', {})
+    body = event.get('body', '')
+
+    # Verify GitHub signature
+    if not verify_github_signature(headers, body.encode('utf-8'), github_secret):
+        print("Signature verification failed.")
+        return {
+            'statusCode': 403,
+            'body': json.dumps('Forbidden: Signature verification failed')
+        }
+
+    # Parse the body as JSON
+    try:
+        payload = json.loads(body)
+    except json.JSONDecodeError as e:
+        print(f"JSON parsing error: {e}")
+        return {
+            'statusCode': 400,
+            'body': json.dumps('Bad Request: Invalid JSON payload')
+        }
+
+    # Forward the payload to the private system
+    status, response = forward_to_private_system(payload, private_system_endpoint)
+
+    if status == 200:
+        return {
+            'statusCode': 200,
+            'body': json.dumps('Webhook processed and forwarded')
+        }
+    else:
+        print(f"Error forwarding to private system: {response}")
+        return {
+            'statusCode': 500,
+            'body': json.dumps('Internal Server Error: Failed to forward webhook')
+        }

modules/github_reverse_proxy/main.tf

@@ -0,0 +1,72 @@
+resource "null_resource" "zip_lambda_function" {
+  provisioner "local-exec" {
+    command = "zip -j lambda_function.zip lambda_function.py"
+  }
+
+  triggers = {
+    py_source = filemd5("lambda_function.py")
+  }
+}
+
+resource "aws_lambda_function" "github_webhook_handler" {
+  function_name = "${var.deployment_name}-github-webhook-handler"
+  role          = aws_iam_role.lambda_role.arn
+  handler       = "lambda_function.lambda_handler" # Python handler
+  runtime       = "python3.12"
+
+  filename         = "${path.module}/lambda_function.zip"
+  source_code_hash = filebase64sha256("${path.module}/lambda_function.zip")
+
+  environment {
+    variables = {
+      GITHUB_SECRET           = var.github_secret
+      PRIVATE_SYSTEM_ENDPOINT = var.private_system_endpoint
+    }
+  }
+
+  vpc_config {
+    subnet_ids         = var.vpc_private_subnets
+    security_group_ids = length(var.security_group_ids) > 0 ? var.security_group_ids : [aws_security_group.lambda_sg.id]
+  }
+
+  # Depend on the zip operation
+  depends_on = [null_resource.zip_lambda_function]
+}
+
+# API Gateway to act as a reverse proxy
+resource "aws_api_gateway_rest_api" "webhook_api" {
+  name = "GitHub Webhook Reverse Proxy"
+}
+
+# Create resource for webhooks
+resource "aws_api_gateway_resource" "webhook_resource" {
+  rest_api_id = aws_api_gateway_rest_api.webhook_api.id
+  parent_id   = aws_api_gateway_rest_api.webhook_api.root_resource_id
+  path_part   = "webhook"
+}
+
+# API Gateway Method
+resource "aws_api_gateway_method" "post_webhook" {
+  rest_api_id   = aws_api_gateway_rest_api.webhook_api.id
+  resource_id   = aws_api_gateway_resource.webhook_resource.id
+  http_method   = "POST"
+  authorization = "NONE"
+}
+
+# Lambda integration for API Gateway
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id             = aws_api_gateway_rest_api.webhook_api.id
+  resource_id             = aws_api_gateway_resource.webhook_resource.id
+  http_method             = aws_api_gateway_method.post_webhook.http_method
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = aws_lambda_function.github_webhook_handler.invoke_arn
+}
+
+# Deployment of API Gateway
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = aws_api_gateway_rest_api.webhook_api.id
+  stage_name  = "prod"
+
+  depends_on = [aws_api_gateway_integration.lambda_integration]
+}

modules/github_reverse_proxy/outputs.tf

@@ -0,0 +1,4 @@
+output "api_gateway_url" {
+  value = aws_api_gateway_deployment.api_deployment.invoke_url
+}
+

modules/github_reverse_proxy/sg.tf

@@ -0,0 +1,12 @@
+resource "aws_security_group" "lambda_sg" {
+  name        = "${var.deployment_name}-lambda-security-group"
+  description = "Allow Lambda to access private systems"
+  vpc_id      = var.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [var.vpc_cidr]
+  }
+}

modules/github_reverse_proxy/variables.tf

@@ -0,0 +1,52 @@
+# ┏━╸╻╺┳╸╻ ╻╻ ╻┏┓    ┏━┓┏━╸╻ ╻┏━╸┏━┓┏━┓┏━╸   ┏━┓┏━┓┏━┓╻ ╻╻ ╻
+# ┃╺┓┃ ┃ ┣━┫┃ ┃┣┻┓   ┣┳┛┣╸ ┃┏┛┣╸ ┣┳┛┗━┓┣╸    ┣━┛┣┳┛┃ ┃┏╋┛┗┳┛
+# ┗━┛╹ ╹ ╹ ╹┗━┛┗━┛   ╹┗╸┗━╸┗┛ ┗━╸╹┗╸┗━┛┗━╸   ╹  ╹┗╸┗━┛╹ ╹ ╹
+
+variable "deployment_name" {
+  type        = string
+  description = "Name of the current deployment."
+}
+
+variable "environment" {
+  type        = string
+  description = "Global environment tag to apply on all datadog logs, metrics, etc."
+}
+
+variable "region" {
+  type        = string
+  description = "Region to deploy API Gateway and lambda's to in AWS"
+}
+
+variable "vpc_id" {
+  description = "The VPC where Lambda will be deployed"
+}
+
+variable "vpc_private_subnets" {
+  description = "List of subnet IDs for Lambda to run in"
+  type        = list(string)
+}
+
+variable "vpc_cidr" {
+  type        = string
+  description = "Network CIDR for VPC"
+  validation {
+    condition     = can(regex("^(?:(?:\\d{1,3}\\.?){4})\\/(\\d{1,2})$", var.vpc_cidr))
+    error_message = "Network CIDR must be a valid cidr."
+  }
+}
+
+variable "security_group_ids" {
+  description = "List of security group IDs for Lambda. If non provided, it will use the lambda_sg."
+  type        = list(string)
+  default     = []
+}
+
+variable "github_secret" {
+  description = "GitHub webhook secret"
+  type        = string
+}
+
+variable "private_system_endpoint" {
+  description = "Private system endpoint to forward the webhook"
+  type        = string
+}