This repository was archived by the owner on Jun 20, 2025. It is now read-only.
Deployment changes for MVA lambda function.#2339
Open
ajinkya-ghonge wants to merge 2 commits intomainfrom
Open
Deployment changes for MVA lambda function.#2339ajinkya-ghonge wants to merge 2 commits intomainfrom
ajinkya-ghonge wants to merge 2 commits intomainfrom
Conversation
Differential Revision: D49209824 fbshipit-source-id: a64b2eda2df723b205a652860b93496df586c052
Summary: # Context As part of KIA - ALS integration. I added logic required for PCR measurement validation to KIA lambda function. As part of this integration, the Lambda function needs to temporarily assume a different IAM role to query the Meta AWS deployed QLDB, validate the measurements and then assume it's original IAM role. While the KIA-ALS integration worked fine, the function was not able to assume it's original role post that. Based on further investigation I see hopping back and forth between IAM roles is not supported right now in AWS Lambda function. In order to solve this issue, I am moving the measurement validation logic to a new lambda that will be invoked from KIA. Thus, KIA will now invoke this new lambda with the PCRs and QLDB parameters. The new Measurement Validation Agent, will assume the role provided, validate the measurements and return back Success/Failure status back to KIA. Based on the Successful measurement validation then, KIA will proceed with the encryption and on Faillure will terminate the process with a Failed status. # Changes in the stack 1. Add a new QLDB repo handler : This handler will create the ALS QLDB repository. 2. Add a Measurement validation handler : This handler will hold logic to validate the measurements. 3. Add Measurement validation Runner : Entry point of the lambda function, this will validate the input and call the handlers. 4. Add Deployment changes for the new lambda : Changes need to deploy the new lambda as part of CB AWS infra. 5. Invoke Lambda from KIA : Add changes required to invoke the MVA lambda from KIA. 6. Add deployment changes for KIA : As part of this, we will need to pass the MVA lambda function name to KIA, add changes to deployment script for that. 7. Remove Measurement validation code from KIA : Now that the measurement validation logic is moved to a new lambda function, remove it from KIA. 8. Changes to undeploy MVA lambda : Add changes to undeploy MVA lambda when CB is uninstalled. 9. Add changes to CB API to pass QLDB parameters to KIA. 10. Add changes to Coordinator to pass QLDB parameters to CB. # Changes in this diff Add Deployment changes for the new lambda : Changes need to deploy the new lambda as part of CB AWS infra. Differential Revision: D49374679 fbshipit-source-id: 75f4b1af783351f9d316b5d470dcd921bf5f7d3e
facebook-github-bot
added
CLA Signed
Contributor
|
This pull request was exported from Phabricator. Differential Revision: D49374679 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
Context
As part of KIA - ALS integration. I added logic required for PCR measurement validation to KIA lambda function. As part of this integration, the Lambda function needs to temporarily assume a different IAM role to query the Meta AWS deployed QLDB, validate the measurements and then assume it's original IAM role. While the KIA-ALS integration worked fine, the function was not able to assume it's original role post that. Based on further investigation I see hopping back and forth between IAM roles is not supported right now in AWS Lambda function. In order to solve this issue, I am moving the measurement validation logic to a new lambda that will be invoked from KIA.
Thus, KIA will now invoke this new lambda with the PCRs and QLDB parameters. The new Measurement Validation Agent, will assume the role provided, validate the measurements and return back Success/Failure status back to KIA. Based on the Successful measurement validation then, KIA will proceed with the encryption and on Faillure will terminate the process with a Failed status.
Changes in the stack
Changes in this diff
Add Deployment changes for the new lambda : Changes need to deploy the new lambda as part of CB AWS infra.
Differential Revision: D49374679