feat: secure access to lambda functions (#2)

+ Change the SSR server and OPTIONS handler lambda function URLs to use AWS_IAM authorization.
+ Provide permission for the lamdba@egde function to sign requests to the lambda URLs.
+ Update tests (partially)

Author: H0R5E

adapter.ts

@@ -2,7 +2,10 @@ import { writeFileSync } from 'fs'
 import { join } from 'path'
 import * as url from 'url'
 
-import { LocalProgramArgs, LocalWorkspace } from '@pulumi/pulumi/automation/index.js'
+import {
+  LocalProgramArgs,
+  LocalWorkspace,
+} from '@pulumi/pulumi/automation/index.js'
 import {
   buildServer,
   buildOptions,
@@ -43,7 +46,7 @@ export function adapter({
   MEMORY_SIZE,
   zoneName = 'us-east-2',
   env = {},
-  pulumiPaths = []
+  pulumiPaths = [],
 }: AWSAdapterProps = {}) {
   /** @type {import('@sveltejs/kit').Adapter} */
   return {
@@ -69,12 +72,13 @@ export function adapter({
           serverArgs,
           {
             envVars: {
-              'TS_NODE_IGNORE': '^(?!.*(sveltekit-adapter-aws-pulumi)).*'
-            }
-          })
+              TS_NODE_IGNORE: '^(?!.*(sveltekit-adapter-aws-pulumi)).*',
+            },
+          }
+        )
 
         // Set the AWS region.
-        await serverStack.setConfig("aws:region", { value: zoneName });
+        await serverStack.setConfig('aws:region', { value: zoneName })
 
         await serverStack.setAllConfig({
           projectPath: { value: '.env' },
@@ -83,7 +87,6 @@ export function adapter({
           memorySizeStr: { value: String(MEMORY_SIZE) },
         })
 
-
         const serverStackUpResult = await serverStack.up({
           onOutput: console.info,
         })
@@ -103,21 +106,21 @@ export function adapter({
           stackName: stackName,
           workDir: mainPath,
         }
-        const mainStack = await LocalWorkspace.createOrSelectStack(
-          mainArgs,
-          {
-            envVars: {
-              'TS_NODE_IGNORE': '^(?!.*(sveltekit-adapter-aws-pulumi)).*'
-            }
-          })
+        const mainStack = await LocalWorkspace.createOrSelectStack(mainArgs, {
+          envVars: {
+            TS_NODE_IGNORE: '^(?!.*(sveltekit-adapter-aws-pulumi)).*',
+          },
+        })
 
         // Set the AWS region.
-        await mainStack.setConfig("aws:region", { value: zoneName });
+        await mainStack.setConfig('aws:region', { value: zoneName })
 
         await mainStack.setAllConfig({
           edgePath: { value: edge_directory },
           staticPath: { value: static_directory },
           prerenderedPath: { value: prerendered_directory },
+          serverArn: { value: serverStackUpResult.outputs.serverArn.value },
+          optionsArn: { value: serverStackUpResult.outputs.optionsArn.value },
         })
 
         if (FQDN) {
@@ -131,15 +134,17 @@ export function adapter({
         }
 
         const mainStackUpResult = await mainStack.up({ onOutput: console.info })
-        const mainAllowedOrigins = JSON.stringify(mainStackUpResult.outputs.allowedOrigins.value)
-        
+        const mainAllowedOrigins = JSON.stringify(
+          mainStackUpResult.outputs.allowedOrigins.value
+        )
+
         let serverAllowedOrigins: string = ''
         const serverConfig = await serverStack.getAllConfig()
-        
-        if ('allowedOrigins' in serverConfig){
+
+        if ('allowedOrigins' in serverConfig) {
           serverAllowedOrigins = serverConfig['allowedOrigins'].value
         }
-        
+
         if (serverAllowedOrigins !== mainAllowedOrigins) {
           // Call the server stack setting the allowed origins
           await serverStack.setConfig('allowedOrigins', {

bin/destroy.ts

@@ -31,9 +31,8 @@ export async function main(args: string[]): Promise<void> {
       throw error
     }
   }
-  
+
   for (const pulumiPath of adapterProps.pulumiPaths!) {
-  
     spawnSync(
       'pulumi',
       ['destroy', '-f', '-s', adapterProps.stackName!, '-y', '--refresh'],
@@ -43,7 +42,6 @@ export async function main(args: string[]): Promise<void> {
         env: process.env,
       }
     )
-  
   }
 }
 

package.json

@@ -57,10 +57,10 @@
     "@pulumi/command": "^0.7.1",
     "@pulumi/pulumi": "^3.0.0",
     "dotenv": "^16.0.3",
-    "minimist": "^1.2.8",
-    "sveltekit-adapter-aws-base": "~1.4.8",
     "folder-hash": "^4.0.4",
-    "lodash": "^4.17.21"
+    "lodash": "^4.17.21",
+    "minimist": "^1.2.8",
+    "sveltekit-adapter-aws-base": "^1.5.5"
   },
   "release": {
     "branches": [

stacks/main/index.ts

@@ -16,6 +16,8 @@ const staticPath = pulumiConfig.get('staticPath')
 const prerenderedPath = pulumiConfig.get('prerenderedPath')
 const FQDN = pulumiConfig.get('FQDN')
 const serverHeadersStr = pulumiConfig.get('serverHeaders')
+const serverArn = pulumiConfig.get('serverArn')
+const optionsArn = pulumiConfig.get('optionsArn')
 
 const [_, zoneName, ...MLDs] = FQDN!.split('.') || []
 const domainName = [zoneName, ...MLDs].join('.')
@@ -26,12 +28,11 @@ if (serverHeadersStr) {
   serverHeaders = JSON.parse(serverHeadersStr)
 }
 
-const iamForLambda = getLambdaRole()
+const iamForLambda = getLambdaRole([serverArn!, optionsArn!])
 const routerHandler = buildRouter(iamForLambda, edgePath!)
 
 let certificateArn: pulumi.Input<string> | undefined
 
-
 if (FQDN) {
   certificateArn = validateCertificate(FQDN!, domainName)
 }

stacks/main/resources.ts

@@ -17,35 +17,74 @@ const eastRegion = new aws.Provider(registerName('ProviderEast'), {
   region: 'us-east-1',
 })
 
-export function getLambdaRole(): aws.iam.Role {
+export function getLambdaRole(functionArns?: string[]): aws.iam.Role {
+  interface IAMPolicy {
+    statements: [
+      {
+        principals?: [
+          {
+            type: string
+            identifiers: string[]
+          }
+        ]
+        actions: string[]
+        effect: string
+        resources?: string[]
+      }
+    ]
+  }
+
+  let lambdaPolicyStub: IAMPolicy = {
+    statements: [
+      {
+        principals: [
+          {
+            type: 'Service',
+            identifiers: ['lambda.amazonaws.com', 'edgelambda.amazonaws.com'],
+          },
+        ],
+        actions: ['sts:AssumeRole'],
+        effect: 'Allow',
+      },
+    ],
+  }
+
+  let lambdaPolicyDocument = aws.iam.getPolicyDocumentOutput(lambdaPolicyStub)
   const iamForLambda = new aws.iam.Role(registerName('IamForLambda'), {
-    assumeRolePolicy: `{
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Action": "sts:AssumeRole",
-              "Principal": {
-                "Service": [
-                  "lambda.amazonaws.com",
-                  "edgelambda.amazonaws.com"
-                ]
-              },
-              "Effect": "Allow",
-              "Sid": ""
-            }
-          ]
-        }
-        `,
+    assumeRolePolicy: lambdaPolicyDocument.json,
   })
 
-  const RPA = new aws.iam.RolePolicyAttachment(
+  new aws.iam.RolePolicyAttachment(
     registerName('ServerRPABasicExecutionRole'),
     {
       role: iamForLambda.name,
       policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
     }
   )
 
+  if (functionArns) {
+    lambdaPolicyStub = {
+      statements: [
+        {
+          actions: ['lambda:InvokeFunctionUrl'],
+          effect: 'Allow',
+          resources: functionArns,
+        },
+      ],
+    }
+
+    lambdaPolicyDocument = aws.iam.getPolicyDocumentOutput(lambdaPolicyStub)
+
+    const policy = new aws.iam.Policy(registerName('invokePolicy'), {
+      policy: lambdaPolicyDocument.json,
+    })
+
+    new aws.iam.RolePolicyAttachment(registerName('ServerRPAInvokePolicy'), {
+      role: iamForLambda.name,
+      policyArn: policy.arn,
+    })
+  }
+
   return iamForLambda
 }
 
@@ -197,7 +236,7 @@ export function buildCDN(
       description: 'Default Origin Access Control',
       name: 'CloudFrontOriginAccessControl',
       originAccessControlOriginType: 's3',
-      signingBehavior: 'always',
+      signingBehavior: 'no-override',
       signingProtocol: 'sigv4',
     }
   )
@@ -206,9 +245,6 @@ export function buildCDN(
     name: 'Managed-CachingOptimized',
   })
 
-  // serverFunctionURL.functionUrl.apply(
-  //   (endpoint) => endpoint.split('://')[1].slice(0, -1)
-
   const distribution = new aws.cloudfront.Distribution(
     registerName('CloudFrontDistribution'),
     {
@@ -252,6 +288,7 @@ export function buildCDN(
               .apply(([arn, version]) => {
                 return `${arn}:${version}`
               }),
+            includeBody: true,
           },
         ],
         originRequestPolicyId: defaultRequestPolicy.id,

stacks/server/index.ts

@@ -40,10 +40,12 @@ const optionsURL = buildLambda(
   optionsEnv
 )
 
+export const serverArn = serverURL.functionArn
 export const serverDomain = serverURL.functionUrl.apply((endpoint) =>
   endpoint.split('://')[1].slice(0, -1)
 )
 
+export const optionsArn = optionsURL.functionArn
 export const optionsDomain = optionsURL.functionUrl.apply((endpoint) =>
   endpoint.split('://')[1].slice(0, -1)
 )

stacks/server/resources.ts

@@ -63,7 +63,7 @@ export function buildLambda(
 
   const lambdaURL = new aws.lambda.FunctionUrl(`${name}URL`, {
     functionName: lambdaHandler.arn,
-    authorizationType: 'NONE',
+    authorizationType: 'AWS_IAM',
   })
 
   return lambdaURL

tests/adapter.test.ts

@@ -14,28 +14,37 @@ vi.mock('@pulumi/pulumi/automation/index.js', () => {
   const Stack = {
     setConfig: vi.fn(),
     setAllConfig: vi.fn(),
-    getAllConfig: vi.fn(() => {return {}}),
-    up: vi.fn(() => {return {
-      outputs: {
-        serverDomain: {
-          value: 'mock'
-        },
-        optionsDomain: {
-          value: 'mock'
+    getAllConfig: vi.fn(() => {
+      return {}
+    }),
+    up: vi.fn(() => {
+      return {
+        outputs: {
+          serverArn: {
+            value: 'mock',
+          },
+          optionsArn: {
+            value: 'mock',
+          },
+          serverDomain: {
+            value: 'mock',
+          },
+          optionsDomain: {
+            value: 'mock',
+          },
+          allowedOrigins: {
+            value: ['mock'],
+          },
         },
-        allowedOrigins: {
-          value: ['mock']
-        }
       }
-    }
-  }),
+    }),
   }
   const LocalWorkspace = {
-    createOrSelectStack: vi.fn(() => Stack)
+    createOrSelectStack: vi.fn(() => Stack),
   }
-  
+
   return {
-    LocalWorkspace
+    LocalWorkspace,
   }
 })
 
@@ -57,10 +66,10 @@ describe('adapter.ts', () => {
     })
     ;(buildOptions as any).mockImplementation(() => {
       return 'mock'
-      })
+    })
     ;(buildRouter as any).mockImplementation(() => {
       return 'mock'
-      })
+    })
 
     const builder = {
       log: {

tests/bin.destroy.test.ts

@@ -33,10 +33,7 @@ describe('bin/destroy.ts', () => {
     const propsPath = path.join(buildDir, '.adapterprops.json')
 
     const expectedStackName = 'mock'
-    const expectedPulumiPaths = [
-      'stacks/one',
-      'stacks/two'
-    ]
+    const expectedPulumiPaths = ['stacks/one', 'stacks/two']
     const json = JSON.stringify({
       stackName: expectedStackName,
       pulumiPaths: expectedPulumiPaths,
@@ -71,10 +68,7 @@ describe('bin/destroy.ts', () => {
     const propsPath = path.join(tmpDir, '.adapterprops.json')
 
     const expectedStackName = 'mock'
-    const expectedPulumiPaths = [
-      'stacks/one',
-      'stacks/two'
-    ]
+    const expectedPulumiPaths = ['stacks/one', 'stacks/two']
     const json = JSON.stringify({
       stackName: expectedStackName,
       pulumiPaths: expectedPulumiPaths,