Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the security header Lambda's runtime to Node 18 #738

Merged
merged 2 commits into from
Dec 28, 2023
Merged

Update the security header Lambda's runtime to Node 18 #738

merged 2 commits into from
Dec 28, 2023

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Dec 26, 2023
edited
Loading

🗣 Description

This pull request updates the security header Lambda's runtime from Node 16 to Node 18.

💭 Motivation and context

We recently received an email from AWS Lambda stating that they are dropping support for Node 16 in mid-2024. Now that we are using version 4.9 of the Terraform AWS provider, we can upgrade our Lambda runtime to Node 18. When we move to the latest version of the Terraform AWS provider, we will be able to upgrade the runtime to at least Node 20.

🧪 Testing

I tested this in the most brütal fashion - by deploying it to production.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@jsf9k
Update the security header Lambda's runtime to Node 18
0bfd3b9 
We recently received an email from AWS stating that they are dropping
support for Node 16 in mid-2024.  Now that we are using version 4.9 of
the Terraform AWS provider, we can upgrade to Node 18.  When we move
to the latest version of the Terraform AWS provider, we will be able
to upgrade to at least Node 20.
@jsf9k jsf9k added the terraform Pull requests that update Terraform code label Dec 26, 2023
@jsf9k jsf9k self-assigned this Dec 26, 2023
@jsf9k jsf9k marked this pull request as ready for review December 26, 2023 19:03
@jsf9k
Copy link
Member Author

jsf9k commented Dec 26, 2023

@dav3r - I have a strong memory of you creating something that needed this sort of Lambda@Edge sauce too, but I couldn't find it. If you have such Terraform out there, and it's running Node 16, then you should upgrade it similarly.

@jsf9k
Remove lifecycle block that no longer applies
aa7f5ad 
This lifecycle block no longer applies because we have upgrades to
Terraform AWS provider version 4.9.
@jsf9k
Copy link
Member Author

jsf9k commented Dec 26, 2023
edited
Loading

@cisagov/team-ois - Aargh! This change has broken the rules website. If anyone knows why that is so, please let me know. I think the problem is that the Cloudfront distribution is unable to read the objects in the rules bucket, but I don't know why that would be the case. 😭

@jsf9k jsf9k requested a review from a team December 27, 2023 17:38
@dv4harr10
Copy link
Contributor

dv4harr10 commented Dec 27, 2023
edited by jsf9k
Loading

Hi Team, I am noticing the following issues, please ensure that these are resolved:

  1. AWS CloudWatch Log Group is missing retention which can cause losing important event info: @ terraform/bod_vpc_flow_logs.tf line 43, terraform/cyhy_vpc_flow_logs.tf line 43, terraform/mgmt_vpc_flow_logs.tf line 43, and terraform/nvdsync_failure_alarms.tf line 2.
  2. AWS Lambda tracing is not enabled: @ terraform/adi_lambda.tf line 113, terraform/bod_lambdas.tf line 58, and terraform/fdi_lambda.tf line 114.
  3. Ensure that your AWS Cloudfront distributions have the logging feature enabled: @ terraform_egress_pub/cloudfront.tf.
  4. AWS Lambda does not use KMS CMK key to protect environment variables: @ terraform/adi_lambda.tf line 129 and terraform/fdi_lambda.tf line 130.

Thanks

@jsf9k
Copy link
Member Author

jsf9k commented Dec 28, 2023

Hi Team, I am noticing the following issues, please ensure that these are resolved:

  1. AWS CloudWatch Log Group is missing retention which can cause losing important event info: @ terraform/bod_vpc_flow_logs.tf line 43, terraform/cyhy_vpc_flow_logs.tf line 43, terraform/mgmt_vpc_flow_logs.tf line 43, and terraform/nvdsync_failure_alarms.tf line 2.
  2. AWS Lambda tracing is not enabled: @ terraform/adi_lambda.tf line 113, terraform/bod_lambdas.tf line 58, and terraform/fdi_lambda.tf line 114.
  3. Ensure that your AWS Cloudfront distributions have the logging feature enabled: @ terraform_egress_pub/cloudfront.tf.
  4. AWS Lambda does not use KMS CMK key to protect environment variables: @ terraform/adi_lambda.tf line 129 and terraform/fdi_lambda.tf line 130.

Thanks

@dv4harr10 - None of these points has anything to do with the changes in this PR, but we still want to capture them. Can you create an issue in this repo for each of these four points?

This was referenced Dec 28, 2023
Open
Open
Open
@mcdonnnj mcdonnnj mentioned this pull request Dec 28, 2023
Merged
6 tasks
@dav3r
Copy link
Member

dav3r commented Dec 28, 2023

@dav3r - I have a strong memory of you creating something that needed this sort of Lambda@Edge sauce too, but I couldn't find it. If you have such Terraform out there, and it's running Node 16, then you should upgrade it similarly.

I think you are probably talking about cisagov/publish-egress-ip-terraform#6, which stalled out due to lack of interest from the intended beneficiaries, hence it was never merged and deployed to Production.

@dav3r
Copy link
Member

dav3r commented Dec 28, 2023

@cisagov/team-ois - Aargh! This change has broken the rules website. If anyone knows why that is so, please let me know. I think the problem is that the Cloudfront distribution is unable to read the objects in the rules bucket, but I don't know why that would be the case. 😭

@mcdonnnj created #742 to address the issues you encountered.

@jsf9k jsf9k enabled auto-merge December 28, 2023 22:15
dav3r
dav3r approved these changes Dec 28, 2023
View reviewed changes
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 ⚙️ 🚀

@jsf9k jsf9k merged commit 041a3ae into develop Dec 28, 2023
8 checks passed
@jsf9k jsf9k deleted the improvement/update-lambda-runtime branch December 28, 2023 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dav3r dav3r dav3r approved these changes

@jasonodoom jasonodoom jasonodoom approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

Assignees

@jsf9k jsf9k

Labels
terraform Pull requests that update Terraform code
Projects
CyHy System
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jsf9k @dv4harr10 @dav3r @jasonodoom