Change ANDS related AWS Lambda functions to not use a VPC configuration

Change ANDS related AWS Lambda functions to not use a VPC configuration as a white-listed IP address (from a NAT Gateway) is no longer needed to interact with the ANDS handle minting service. Both the Demo and Live ANDS handle service use a shared secret (Basic Authentication) scheme instead.
ardc-shorn · Jul 23, 2018 · ef6ccae · ef6ccae
1 parent edead8d
commit ef6ccae
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ The DLCF will connect critical elements and points in time of the data journey f
 
 The Resource and Activity Persistent identifier (RAiD) is the first of the enabling technologies required for the DLCF.*RAiD API* is a '**proof of concept**' [Serverless](https://aws.amazon.com/serverless/) implementation designed to be hosted on Amazon Web Services (AWS) that will help create and manage RAiDs.
 
-## Current version: 1.1.0
+## Current version: 1.1.1
 
 ## Serverless Components
 AWS serverless applications are able to conform to a [multi-tier architecture]( https://d0.awsstatic.com/whitepapers/AWS_Serverless_Multi-Tier_Architectures.pdf), consisting of three defined tiers:

diff --git a/sam/template.yaml b/sam/template.yaml
@@ -17,9 +17,10 @@
 #       AndsService=<<ands_service>> \
 #       DemoAndsService=<<ands_service>> \
 #       AndsAppId=<<app_id>> \
-#       AndsSubnets=<<subnet1,subnet2>> \
 #       AndsSecurityGroups=<<sg1,sg1>> \
 #       ElasticsearchHost=<<....ap-southeast-2.es.amazonaws.com>> \
+#       AndsSecret=<<>> \
+#       AndsDemoSecret=<<>> \
 # --capabilities CAPABILITY_IAM
 ---
 AWSTemplateFormatVersion: '2010-09-09'
@@ -58,17 +59,13 @@ Parameters:
     Type: String
   AndsSecret:
     Type: String
+  AndsDemoSecret:
+    Type: String
   ElasticsearchHost:
     Type: String
-  AndsSubnets:
-    Type: CommaDelimitedList
-    Description: "Comma seperated subnet ids that have access to ANDS handle minting service"
-  AndsSecurityGroups:
-    Type: CommaDelimitedList
-    Description: "Comma seperated security group ids that have inbound/outbound access to ANDS handle minting service"
   HandleAlarmThreshold:
     Type: String
-    Default: 20
+    Default: 80
     Description: "The minimum safe queue depth threshold before more ANDS Handles should be minted"
 
 Globals:
@@ -100,6 +97,8 @@ Globals:
           Ref: AndsAppId
         ANDS_SECRET:
           Ref: AndsSecret
+        ANDS_DEMO_SECRET:
+          Ref: AndsDemoSecret
         RAID_DEMO_TABLE: !GetAtt RAiDDemoDB.Outputs.RaidDB
         RAID_TABLE: !GetAtt RAiDLiveDB.Outputs.RaidDB
         ASSOCIATION_DEMO_TABLE: !GetAtt RAiDDemoDB.Outputs.RAiDAssociationDB
@@ -323,11 +322,6 @@ Resources:
       Handler: handlers.raid_handlers.create_raid_handler
       Role: !GetAtt CrudLambdaIAMRole.Arn
       MemorySize: 1024
-      VpcConfig: # Get past ANDS IP Whitelisting
-        SecurityGroupIds:
-          Ref: AndsSecurityGroups
-        SubnetIds:
-          Ref: AndsSubnets
       Tracing: Active
       Events:
         CreateRaidHandle:
@@ -346,11 +340,6 @@ Resources:
       CodeUri: ../build
       Handler: handlers.raid_handlers.update_raid
       Role: !GetAtt CrudLambdaIAMRole.Arn
-      VpcConfig: # Get past ANDS IP Whitelisting
-        SecurityGroupIds:
-          Ref: AndsSecurityGroups
-        SubnetIds:
-          Ref: AndsSubnets
       Tracing: Active
       Events:
         UpdateRaidHandle:
@@ -523,11 +512,6 @@ Resources:
         Variables:
           DEMO_RAID_STREAM_ARN: !GetAtt RAiDDemoDB.Outputs.RaidDBStreamArn
           RAID_STREAM_ARN: !GetAtt RAiDLiveDB.Outputs.RaidDBStreamArn
-      VpcConfig: # Get past ANDS IP Whitelisting
-        SecurityGroupIds:
-          Ref: AndsSecurityGroups
-        SubnetIds:
-          Ref: AndsSubnets
       Events:
         RaidDemoTableStream:
           Type: DynamoDB
@@ -551,11 +535,6 @@ Resources:
       Handler: handlers.ands_handlers.create_ands_handles_from_event
       Role: !GetAtt CrudLambdaIAMRole.Arn
       MemorySize: 1024
-      VpcConfig: # Get past ANDS IP Whitelisting
-        SecurityGroupIds:
-          Ref: AndsSecurityGroups
-        SubnetIds:
-          Ref: AndsSubnets
       Events:
         AndsHandleAlarm:
           Type: SNS

diff --git a/src/handlers/ands_handlers.py b/src/handlers/ands_handlers.py
@@ -10,7 +10,7 @@
 logger.setLevel(logging.INFO)
 
 # Maxium amount of handles needed in a queue
-DEFAULT_HANDLE_THRESHOLD = 20
+DEFAULT_HANDLE_THRESHOLD = 80
 
 
 def create_ands_handles_from_event(event, context):
@@ -34,12 +34,14 @@ def create_ands_handles_from_event(event, context):
                     logger.info('ANDS Handle Queue below threshold...')
                     queue = os.environ["ANDS_HANDLES_QUEUE"]
                     service_url = os.environ["ANDS_SERVICE"]
+                    ands_secret = os.environ["ANDS_SECRET"]
 
                 # Demo ANDS Handle Alarm
                 elif record['Sns']['TopicArn'] == os.environ['DEMO_ANDS_HANDLE_ALARM_TOPIC']:
                     logger.info('DEMO_ANDS Handle Queue below threshold...')
                     queue = os.environ["DEMO_ANDS_HANDLES_QUEUE"]
                     service_url = os.environ["DEMO_ANDS_SERVICE"]
+                    ands_secret = os.environ["ANDS_DEMO_SECRET"]
 
                 else:
                     raise Exception('Unknown SNS Alarm event')
@@ -64,7 +66,7 @@ def create_ands_handles_from_event(event, context):
                         os.environ["ANDS_APP_ID"],
                         "raid",
                         "raid.org.au",
-                        os.environ["ANDS_SECRET"],
+                        ands_secret,
                     )
 
                     # Send new ANDS handle to SQS

diff --git a/src/handlers/db_streams.py b/src/handlers/db_streams.py
@@ -39,6 +39,8 @@ def raid_table_dynamodb_stream_event(event, context):
                     table_attributes['contentIndex']
                 )
 
+                ands_secret = os.environ["ANDS_DEMO_SECRET"]
+
             elif record['eventSourceARN'] == os.environ['RAID_STREAM_ARN']:
                 ands_url_path = "{}modifyValueByIndex?handle={}&value={}&index={}".format(
                     os.environ["ANDS_SERVICE"],
@@ -47,6 +49,8 @@ def raid_table_dynamodb_stream_event(event, context):
                     table_attributes['contentIndex']
                 )
 
+                ands_secret = os.environ["ANDS_SECRET"]
+
             else:
                 logger.info('Unknown DynamoDB Stream')
                 continue
@@ -69,7 +73,7 @@ def raid_table_dynamodb_stream_event(event, context):
                     os.environ["ANDS_APP_ID"],
                     "raid",
                     "raid.org.au",
-                    os.environ["ANDS_SECRET"],
+                    ands_secret,
                 )
 
                 logger.info(json.dumps(ands_mint))
@@ -90,7 +94,7 @@ def raid_table_dynamodb_stream_event(event, context):
                         os.environ["ANDS_APP_ID"],
                         "raid",
                         "raid.org.au",
-                        os.environ["ANDS_SECRET"],
+                        ands_secret,
                     )
 
                     logger.info(json.dumps(ands_mint))

diff --git a/src/handlers/raid_handlers.py b/src/handlers/raid_handlers.py
@@ -66,6 +66,9 @@ def create_raid_handler(event, context):
     :param context:
     :return: RAiD object
     """
+    if 'requestContext' not in event:
+        return {"message": "Warming Lambda container"}
+
     try:
         environment = event['requestContext']['authorizer']['environment']
 
@@ -127,6 +130,12 @@ def create_raid_handler(event, context):
         # Set content path
         raid_item['contentPath'] = content_path
 
+        # Get correct ANDS Shared Secret
+        if environment == settings.DEMO_ENVIRONMENT:
+            ands_secret = os.environ["ANDS_DEMO_SECRET"]
+        elif environment == settings.LIVE_ENVIRONMENT:
+            ands_secret = os.environ["ANDS_SECRET"]
+
         # Get ANDS handle and content index
         ands_handle, ands_content_index = ands_helpers.get_new_ands_handle(
             environment,
@@ -136,7 +145,7 @@ def create_raid_handler(event, context):
             os.environ["DEMO_ANDS_SERVICE"],
             content_path,
             os.environ["ANDS_APP_ID"],
-            os.environ["ANDS_SECRET"]
+            ands_secret
         )
 
         # Insert minted handle into raid item
@@ -292,6 +301,9 @@ def update_raid(event, context):
     :param context:
     :return: RAiD object
     """
+    if 'requestContext' not in event:
+        return {"message": "Warming Lambda container"}
+
     # Check for provided RAiD and content path to mint
     try:
         raid_handle = urllib.unquote(urllib.unquote(event["pathParameters"]["raidId"]))

diff --git a/src/helpers/ands_helpers.py b/src/helpers/ands_helpers.py
@@ -71,7 +71,7 @@ def ands_handle_request(url_path, app_id, identifier, auth_domain, shared_secret
     # Build Headers
     headers = {'Content-Type': 'application/xml'}
 
-    if shared_secret and ('https://demo.ands.org.au' not in url_path):  # Basic Authenticated call
+    if shared_secret:  # Basic Authenticated call
         # Create XML Body
         xml_data = build_basic_authorized_mint_body(identifier, auth_domain)