Deployment changes for MVA lambda function. #2339
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Differential Revision: D49209824 fbshipit-source-id: a64b2eda2df723b205a652860b93496df586c052
Summary: # Context As part of KIA - ALS integration. I added logic required for PCR measurement validation to KIA lambda function. As part of this integration, the Lambda function needs to temporarily assume a different IAM role to query the Meta AWS deployed QLDB, validate the measurements and then assume it's original IAM role. While the KIA-ALS integration worked fine, the function was not able to assume it's original role post that. Based on further investigation I see hopping back and forth between IAM roles is not supported right now in AWS Lambda function. In order to solve this issue, I am moving the measurement validation logic to a new lambda that will be invoked from KIA. Thus, KIA will now invoke this new lambda with the PCRs and QLDB parameters. The new Measurement Validation Agent, will assume the role provided, validate the measurements and return back Success/Failure status back to KIA. Based on the Successful measurement validation then, KIA will proceed with the encryption and on Faillure will terminate the process with a Failed status. # Changes in the stack 1. Add a new QLDB repo handler : This handler will create the ALS QLDB repository. 2. Add a Measurement validation handler : This handler will hold logic to validate the measurements. 3. Add Measurement validation Runner : Entry point of the lambda function, this will validate the input and call the handlers. 4. Add Deployment changes for the new lambda : Changes need to deploy the new lambda as part of CB AWS infra. 5. Invoke Lambda from KIA : Add changes required to invoke the MVA lambda from KIA. 6. Add deployment changes for KIA : As part of this, we will need to pass the MVA lambda function name to KIA, add changes to deployment script for that. 7. Remove Measurement validation code from KIA : Now that the measurement validation logic is moved to a new lambda function, remove it from KIA. 8. Changes to undeploy MVA lambda : Add changes to undeploy MVA lambda when CB is uninstalled. 9. Add changes to CB API to pass QLDB parameters to KIA. 10. Add changes to Coordinator to pass QLDB parameters to CB. # Changes in this diff Add Deployment changes for the new lambda : Changes need to deploy the new lambda as part of CB AWS infra. Differential Revision: D49374679 fbshipit-source-id: 75f4b1af783351f9d316b5d470dcd921bf5f7d3e
facebook-github-bot
added
CLA Signed
|
This pull request was exported from Phabricator. Differential Revision: D49374679 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary:
Context
As part of KIA - ALS integration. I added logic required for PCR measurement validation to KIA lambda function. As part of this integration, the Lambda function needs to temporarily assume a different IAM role to query the Meta AWS deployed QLDB, validate the measurements and then assume it's original IAM role. While the KIA-ALS integration worked fine, the function was not able to assume it's original role post that. Based on further investigation I see hopping back and forth between IAM roles is not supported right now in AWS Lambda function. In order to solve this issue, I am moving the measurement validation logic to a new lambda that will be invoked from KIA.
Thus, KIA will now invoke this new lambda with the PCRs and QLDB parameters. The new Measurement Validation Agent, will assume the role provided, validate the measurements and return back Success/Failure status back to KIA. Based on the Successful measurement validation then, KIA will proceed with the encryption and on Faillure will terminate the process with a Failed status.
Changes in the stack
Changes in this diff
Add Deployment changes for the new lambda : Changes need to deploy the new lambda as part of CB AWS infra.
Differential Revision: D49374679