This commit makes a number of changes to our deployment process to reflect newer best practices. This is a breaking change.
API Gateway
API gateway has been removed and replaced with an Application Load Balancer which forwards to the Lambda functions. The Application Load Balancer is protected by a Security Group which, by default, will reject all connections. You must provide the 'allowed_cidrs_ipv4' and 'allowed_cidrs_ipv6' variables.
API Gateway was removed as it was implemented before a time when AWS supported Lambda functions being a target for Load Balancers, and it came with a lot of complexity in the Terraform, and a limitation that you could not spend more than 29 seconds per request; after 29 seconds, API gateway would kill the client side connection of the request, but the Lambda would keep going, resulting in wasted processing time and a poor user experience when dealing with things that can be slow, like Push notifications.
Terraform changes
The Terraform in this repository has been heavily modified. It is no longer recommended for you to cd into the Key-Conjurer directory and deploy the terraform by invoking make deploy. We instead suggest that you use our Terraform code as a Terraform module, like so:
You will still need to ensure that the build artifacts are uploaded to the S3 bucket for AWS Lambda. This can be done with the following code excerpt:
RELEASE=<release> S3_TF_BUCKET_NAME=<s3-tf-bucket-name> S3_FRONTEND_BUCKET_NAME=<s3-frontend-bucket-name> cd ./Key-Conjurer/terraform && make upload
In previous iterations of the project, one needed to modify frontend_waf.tf to deploy the application correctly. You may now instead pass a variable to the Terraform module, waf_acl_id, which points to an ACL; if you do not do this, a default deny-all ACL will be created and used instead. You must specify a Web ACL to protect the frontend appropriately. Due to the API Gateway changes, this does not impact the API, which itself can only be accessed from the VPC it is deployed within.
Environment variable changes
TF_WORKSPACE is now RELEASE to better reflect its purpose
CLOUD_PROVIDER has been removed
You should configure your provider and backend blocks in that script.
Add a newline to the Not Found response
Rename "TF_WORKSPACE" to "RELEASE"
Export Vault error if it occurs
Allow KeyConjurer to contact other services, like Vault
This commit makes a number of changes to our deployment process to reflect newer best practices. This is a breaking change.
API Gateway
API gateway has been removed and replaced with an Application Load Balancer which forwards to the Lambda functions. The Application Load Balancer is protected by a Security Group which, by default, will reject all connections. You must provide the 'allowed_cidrs_ipv4' and 'allowed_cidrs_ipv6' variables.
API Gateway was removed as it was implemented before a time when AWS supported Lambda functions being a target for Load Balancers, and it came with a lot of complexity in the Terraform, and a limitation that you could not spend more than 29 seconds per request; after 29 seconds, API gateway would kill the client side connection of the request, but the Lambda would keep going, resulting in wasted processing time and a poor user experience when dealing with things that can be slow, like Push notifications.
Terraform changes
The Terraform in this repository has been heavily modified. It is no longer recommended for you to
cdinto the Key-Conjurer directory and deploy the terraform by invokingmake deploy. We instead suggest that you use our Terraform code as a Terraform module, like so:You will still need to ensure that the build artifacts are uploaded to the S3 bucket for AWS Lambda. This can be done with the following code excerpt:
In previous iterations of the project, one needed to modify frontend_waf.tf to deploy the application correctly. You may now instead pass a variable to the Terraform module,
waf_acl_id, which points to an ACL; if you do not do this, a default deny-all ACL will be created and used instead. You must specify a Web ACL to protect the frontend appropriately. Due to the API Gateway changes, this does not impact the API, which itself can only be accessed from the VPC it is deployed within.Environment variable changes
TF_WORKSPACEis nowRELEASEto better reflect its purposeCLOUD_PROVIDERhas been removedYou should configure your provider and backend blocks in that script.
Add a newline to the Not Found response
Rename "TF_WORKSPACE" to "RELEASE"
Export Vault error if it occurs
Allow KeyConjurer to contact other services, like Vault
Remove Terraform steps from deployment
Add policy to access the encryption key