From 5576c64e19fe617ea327db6a0436174d77b0ed36 Mon Sep 17 00:00:00 2001 From: windmgc Date: Thu, 18 Jul 2024 14:23:13 +0800 Subject: [PATCH] feat(aws-lambda): add configurable sts endpoint url for aws-lambda plugin --- .../feat-aws-lambda-configurable-sts-endpoint.yml | 4 ++++ kong/clustering/compat/checkers.lua | 13 +++++++++++++ kong/plugins/aws-lambda/handler.lua | 2 ++ kong/plugins/aws-lambda/schema.lua | 1 + 4 files changed, 20 insertions(+) create mode 100644 changelog/unreleased/kong/feat-aws-lambda-configurable-sts-endpoint.yml diff --git a/changelog/unreleased/kong/feat-aws-lambda-configurable-sts-endpoint.yml b/changelog/unreleased/kong/feat-aws-lambda-configurable-sts-endpoint.yml new file mode 100644 index 000000000000..a39a73241020 --- /dev/null +++ b/changelog/unreleased/kong/feat-aws-lambda-configurable-sts-endpoint.yml @@ -0,0 +1,4 @@ +message: > + "**AWS-Lambda**: Added support for a configurable STS endpoint with the new configuration field `aws_sts_endpoint_url`. +type: feature +scope: Plugin diff --git a/kong/clustering/compat/checkers.lua b/kong/clustering/compat/checkers.lua index 3dd083fd7ebb..02c57c98060e 100644 --- a/kong/clustering/compat/checkers.lua +++ b/kong/clustering/compat/checkers.lua @@ -38,6 +38,19 @@ local compatible_checkers = { end end + for _, plugin in ipairs(config_table.plugins or {}) do + if plugin.name == 'aws-lambda' then + local config = plugin.config + if config.aws_sts_endpoint_url ~= nil then + config.aws_sts_endpoint_url = nil + has_update = true + log_warn_message('configures ' .. plugin.name .. ' plugin with aws_sts_endpoint_url', + 'will be removed.', + dp_version, log_suffix) + end + end + end + return has_update end }, diff --git a/kong/plugins/aws-lambda/handler.lua b/kong/plugins/aws-lambda/handler.lua index 0e8155065222..fc3fbd248bc2 100644 --- a/kong/plugins/aws-lambda/handler.lua +++ b/kong/plugins/aws-lambda/handler.lua @@ -48,6 +48,7 @@ local build_cache_key do -- vault refresh can take effect when key/secret is rotated local SERVICE_RELATED_FIELD = { "timeout", "keepalive", "aws_key", "aws_secret", "aws_assume_role_arn", "aws_role_session_name", + "aws_sts_endpoint_url", "aws_region", "host", "port", "disable_https", "proxy_url", "aws_imds_protocol_version" } @@ -132,6 +133,7 @@ function AWSLambdaHandler:access(conf) credentials = credentials, region = region, stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints, + endpoint = conf.aws_sts_endpoint_url, ssl_verify = false, http_proxy = conf.proxy_url, https_proxy = conf.proxy_url, diff --git a/kong/plugins/aws-lambda/schema.lua b/kong/plugins/aws-lambda/schema.lua index 767262d66045..744ca4debbf3 100644 --- a/kong/plugins/aws-lambda/schema.lua +++ b/kong/plugins/aws-lambda/schema.lua @@ -38,6 +38,7 @@ return { { aws_role_session_name = { description = "The identifier of the assumed role session.", type = "string", default = "kong" } }, + { aws_sts_endpoint_url = typedefs.url }, { aws_region = typedefs.host }, { function_name = { type = "string",