Skip to content

Commit

Permalink
- Added implementation to restart ECS service when key is rotated
Browse files Browse the repository at this point in the history 
- Updates to TF to allow lambda to update secret and restart ECS service
  • Loading branch information
Ronaldo Macapobre committed Nov 14, 2024
1 parent 7d4e166 commit 1810680
Show file tree
Hide file tree
Showing 16 changed files with 922 additions and 246 deletions.
15 changes: 9 additions & 6 deletions aws/lambdas/auth/authorizer/index.ts
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import { Logger } from "@aws-lambda-powertools/logger";
import {
APIGatewayAuthorizerResult,
APIGatewayRequestAuthorizerEvent,
Expand All @@ -6,8 +7,7 @@ import {
StatementEffect,
} from "aws-lambda";
import { v4 as uuidv4 } from "uuid";
import { getLogger } from "../../../utils/logger";
import { getSecret } from "../../../utils/secretsManager";
import SecretsManagerService from "../../../services/secretsManagerService";

const X_ORIGIN_VERIFY_HEADER = "x-origin-verify";

Expand All @@ -19,7 +19,9 @@ export const handler = async (
console.log(`Context: ${JSON.stringify(context, null, 2)}`);

const correlationId: string = event.requestContext.requestId || uuidv4();
const logger = getLogger(correlationId);
const logger = new Logger({
serviceName: "auth.authorizer",
});

try {
if (!event.headers) {
Expand All @@ -35,14 +37,15 @@ export const handler = async (

// Extract the token from the request
const verifyToken = event.headers[X_ORIGIN_VERIFY_HEADER];
const secretStringJson = await getSecret(
process.env.VERIFY_SECRET_NAME || ""
const smService = new SecretsManagerService();
const secretStringJson = await smService.getSecret(
process.env.VERIFY_SECRET_NAME!
);

let verifyTokenfromSecretManager = "";
if (secretStringJson) {
verifyTokenfromSecretManager = JSON.parse(secretStringJson).verifyKey;
logger.debug(
logger.info(
"Authorization token from secret manager",
verifyTokenfromSecretManager
);
Expand Down
38 changes: 29 additions & 9 deletions aws/lambdas/auth/rotate-key/index.ts
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
import { Logger } from "@aws-lambda-powertools/logger";
import { APIGatewayEvent, APIGatewayProxyResult, Context } from "aws-lambda";
import { v4 as uuidv4 } from "uuid";
import { getLogger } from "../../../utils/logger";
import { updateSecret } from "../../../utils/secretsManager";
import ECSService from "../../../services/ecsService";
import SecretsManagerService from "../../../services/secretsManagerService";

export const handler = async (
event: APIGatewayEvent,
Expand All @@ -10,18 +11,19 @@ export const handler = async (
console.log(`Event: ${JSON.stringify(event, null, 2)}`);
console.log(`Context: ${JSON.stringify(context, null, 2)}`);

const correlationId = uuidv4();
const logger = getLogger(correlationId);
const newGuid = uuidv4();
const logger = new Logger({
serviceName: "auth.rotate-key",
});

try {
logger.info("Rotating verifyKey.");
await updateSecret(
process.env.VERIFY_SECRET_NAME,
JSON.stringify({ verifyKey: newGuid })
);
await updateSecret();
logger.info("Successfully rotated verifyKey");

logger.info("Restarting ECS Services to pickup updated VerifyKey.");
await restartECSServices();
logger.info("Restart completed.");

return {
statusCode: 200,
body: JSON.stringify({
Expand All @@ -41,3 +43,21 @@ export const handler = async (
};
}
};

const updateSecret = async () => {
const smService = new SecretsManagerService();
const newGuid = uuidv4();

await smService.updateSecret(
process.env.VERIFY_SECRET_NAME!,
JSON.stringify({ verifyKey: newGuid })
);
};

const restartECSServices = async () => {
const ecsService = new ECSService(process.env.CLUSTER_NAME!);

const services = await ecsService.getECSServices();

await ecsService.restartServices(services);
};
Loading

0 comments on commit 1810680

Please sign in to comment.