Open oleksandrsv opened 1 month ago
Hi! Thank you for opening this issue!
The latest version 4.1.0 of the SSO Elevator module includes an integrated API Gateway. You now have the option to choose between using a Lambda URL and the API Gateway. In future releases, the Lambda URL will be deprecated.
Would migrating to the API Gateway address your concerns?
I mean like these settings:
# module.aws_sso_elevator.module.http_api[0].aws_apigatewayv2_stage.this[0] will be updated in-place
~ resource "aws_apigatewayv2_stage" "this" {
id = "default"
name = "default"
tags = {}
# (8 unchanged attributes hidden)
- route_settings {
- data_trace_enabled = false -> null
- detailed_metrics_enabled = true -> null
- route_key = "POST /access-requester" -> null
- throttling_burst_limit = 1 -> null
- throttling_rate_limit = 1 -> null
}
+ route_settings {
+ data_trace_enabled = false
+ detailed_metrics_enabled = true
+ logging_level = (known after apply)
+ route_key = "POST /access-requester"
+ throttling_burst_limit = 500
+ throttling_rate_limit = 1000
}
# (2 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
So the idea is to limit the execution of lambda by limiting API Gateway to 1 execution at a time at least instead of 500/1000. wdyt?
Hi,
I'm sorry for not getting back to you sooner.
We’ve already implemented a check in the Lambda code to ensure that users cannot submit the same request before the previous one has been processed: https://github.com/fivexl/terraform-aws-sso-elevator/blob/main/src/main.py#L99
Additionally, we’ve restricted access to the created API Gateway using CORS: https://github.com/fivexl/terraform-aws-sso-elevator/blob/main/slack_handler_lambda.tf#L219
cors_configuration = {
allow_credentials = true
allow_origins = [‘https://slack.com’]
allow_methods = [‘POST’]
max_age = 86400
}
So, only Slack can send requests to this API Gateway, and it does so only when we use the /access command in the Slack bot. I’m not sure if reducing the number of possible requests would help with anything. Are there any other concerns that make you think we should limit the execution of the Lambda function by restricting the API Gateway?
Hi, as lambda function is opened to internet and some people may share it's url, AWS can provide 100k requests per second for lambda. It makes no sense for lamda if there are 100-150 users in the company. AWS recommends to add API Gateway and limit it there. However, maybe there is an option to block such requests using default AWS settings for lambda? Thank you.