terraform-aws-ca icon indicating copy to clipboard operation
terraform-aws-ca copied to clipboard
verified publisher icon serverless-ca

Lambda functions should not try to resolve resource names

Open 1oglop1 opened this issue 1 year ago • 3 comments

Hi, I am restructuring the solution to fit our use-case and I wanted to avoid modification of the Python code, however the functions which rely on the resolution of resource names rather than resource IDs passed in as parameters.

namely:

https://github.com/serverless-ca/terraform-aws-ca/blob/7e14b3254a44a4bf1492818906636f57129a098f/modules/terraform-aws-ca-lambda/utils/certs/ca.py#L28-L32

https://github.com/serverless-ca/terraform-aws-ca/blob/7e14b3254a44a4bf1492818906636f57129a098f/modules/terraform-aws-ca-lambda/utils/certs/kms.py#L13-L18

https://github.com/serverless-ca/terraform-aws-ca/blob/7e14b3254a44a4bf1492818906636f57129a098f/modules/terraform-aws-ca-lambda/utils/certs/db.py#L13-L20

are forcing certain naming conventions which do not fit my environment.

Would it be possible to update the code so that dynamoDB and kms aliases/arns are function parameters rather than resolved from the naming convention?

1oglop1 avatar Jun 26 '24 11:06 1oglop1

Hi @1oglop1 this is a good idea to allow more flexibility. We can set all of these as environment variables. Then, in the Terraform, we can pass the environment variables in to the Lambda functions, and use Terraform conditionals to set the current names as the defaults, with additional optional variables that can be passed in from the top level module for people who want to pass in custom resource names. We're already doing something along these lines for the S3 buckets using the optional bucket_prefix Terraform variable.

Is this something you'd be interested in submitting a PR / PRs for? If so, before you start let's have a discussion via Slack, you can reach me on the CloudSecurityForum Slack workspace. If you're not already a member, please email me on [email protected] with your preferred email address and I'll invite you.

paulschwarzenberger avatar Jun 27 '24 08:06 paulschwarzenberger

[email protected]

Yes, I'd be interested in contributing back, it would release me from having to maintain a fork. I talked with our security specialist and found one more improvement which is required to meet the standard. Looking forward to your invitation.

1oglop1 avatar Jun 27 '24 08:06 1oglop1

invite requested, you should get it once approved by a moderator

paulschwarzenberger avatar Jun 27 '24 08:06 paulschwarzenberger

@1oglop1 I'm closing this issue for now, but feel free to reopen if you have time to work on this!

paulschwarzenberger avatar Oct 18 '24 14:10 paulschwarzenberger