Lambda function is fetching latest list of IPs from github endpoint: https://api.github.com/meta. List of IPs is returned in JSON format.
Security groups are update based on tags attached to them. The following block which exists in github.py handler lambda_handler defines the ports for ips.
sg_ports = {
"FromPort": [80, 443],
"ToPort": [80, 443]
}Tags and github api endpoint are picked up from Lambda's environment variables:
sg_tag_name = os.environ["sg_tag_name"]
sg_tag_value = os.environ["sg_tag_value"]
api_github_endpoint = os.environ["api_github_endpoint"]
sg_filters = {
"Name": f"tag:{sg_tag_name}",
"Values": [f"{sg_tag_value}"]
}Values for enviorment variables are defined in main.tf. It is a terraform deployment script which is used to deploy your lambda function with required permissions. Variables can be modified in the following block:
environment {
variables = {
sg_tag_name = "SourceList",
sg_tag_value = "github",
api_github_endpoint = "https://api.github.com/meta"
}
}Function is assumed to be used with multiple AWS accounts. For that reason we have config.json which contains information related to the account and IAM role which will be assumed. If you only running it in a single account, terraform templates are creating it for you as well. Resource from main.tf.
resource "aws_iam_role" "cloudeng_assume_role"Policy attached to the above role can be found in the following resource:
resource "aws_iam_role_policy" "cloudeng_assume_role_policy"After deploying your terraform templates, make sure to update config.json with valid assume_role arn.
Cloudwatch event trigger is also set up to trigger the lambda. Currently it is setup to be triggered from monday to thursday at 10am. Following block can be modified if you need a different cron:
resource "aws_cloudwatch_event_rule" "event_rule" {
name = "github-lambda-event-rule-${var.environment}"
description = "Event rule to trigger lambda at 10am (MON-THU)"
schedule_expression = "cron(0 10 ? * MON-THU *)"
}So with that any security group with tag named SourceList and value github will contain latest github IPs on port 80 and 443.
- Set AWS credentials
- Zip lambda script
zip github-lambda.zip github.py config.json - Initialise terraform
terraform init - Deploy terraform
terraform apply -auto-approve
Note that terraform doesn't have remote backend config. It is important to setup one so please see terraform backend docs
Export AWS credentials: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY then run:
docker run --rm -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -v "$PWD":/var/task lambci/lambda:python3.6 github.lambda_handler