cdk-github-runners icon indicating copy to clipboard operation
cdk-github-runners copied to clipboard

Published 20 hours ago verified publisher icon CloudSnorkel

Question: About lambda function URLs

Open sercantor opened this issue 3 years ago • 1 comments

I have a question about the webhook lambda that github calls(?): is there any way to avoid unnecessary invocations with this? for example, if I have the function URL, even though I'll get unauthorized message every time, I'm still invoking the function, so is there a way to limit this invocation?

I've tried creating a security group in a VPC which only allows for github action's IPs to invoke the function, but I get an error due to there being too many IPs 😄.

sercantor avatar Aug 05 '22 10:08 sercantor

I don't believe security group affects Lambda URLs. None of the documentation suggests there is a way to do this. But maybe the resource policy that allows lambda:InvokeFunctionUrl supports other conditions than just lambda:FunctionUrlAuthType? Maybe something like this will work?

           "NotIpAddress": {
                "aws:SourceIp": [
                    "192.0.2.0/24",
                    "203.0.113.0/24"
                ]
            },

kichik avatar Aug 05 '22 21:08 kichik

Maybe something like this will work?

Unfortunately I have tried that but the whitelisted IP list is too big for a policy statement. I wonder (now that some time has past) if someone mentioned this? @kichik

~~BTW, you mention this about the runners in README~~

~~>They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.~~

~~Excuse my noobness, but what is the reason for the VPC? Assuming I do not need to give runners IAM permissions as I have the runners assume roles that I created myself (OIDC).~~

sercantor avatar Jan 12 '23 13:01 sercantor

@kichik I could not find a way to do this, but how about we have an option to set reserved concurrent executions for function URLs? For example if I set reserved concurrent executions as 100, the maximum number of requests per second that anyone could make to function URLS would be 10x (1000), which I think is reasonable.

Right now they're configured as unreserved.

sercantor avatar Jan 13 '23 08:01 sercantor

@diegoaguilar is working on it in #174.

Maybe you can use an aspect to set the reserved concurrency for now? I don't know if this would be a very commonly used feature.

kichik avatar Jan 15 '23 02:01 kichik

Ah, didn't see that one, thank you for pointing it. I'll close this one as that issue addresses my concern

sercantor avatar Jan 17 '23 10:01 sercantor