Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-lambda-nodejs] Using NodeJSFunction construct behind corporate firewall #10194

Closed
2 tasks
lukemerryDHCS opened this issue Sep 4, 2020 · 6 comments · Fixed by #10270
Closed
2 tasks

[aws-lambda-nodejs] Using NodeJSFunction construct behind corporate firewall #10194

lukemerryDHCS opened this issue Sep 4, 2020 · 6 comments · Fixed by #10270
Assignees
@eladb
Labels
@aws-cdk/aws-lambda-nodejs effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p2

Comments

@lukemerryDHCS
Copy link

lukemerryDHCS commented Sep 4, 2020
edited
Loading

Attempting to synthesize or deploy a project containing a NodeJSFunction construct fails due to a https packet inspection certificate in use on my organization's corporate network. Typically when working with Docker containers, we have to either provide the proxy certificate to whatever CLI tools are running in the container, or set the tool to not validate certificates, but since this is abstracted away by the construct, I can't figure out a way to provide it or set npm's strict-ssl parameter to false within the docker container.

Use Case

Building a CDK project that contains a NodeJSLambda construct from behind a corporate https inspection firewall.

Proposed Solution

Add a way to set strict-ssl to false or provide a CA in the docker container used to build the lambda. Since CDK respects the value of AWS_CA_BUNDLE environment variable, perhaps there is a way to make it work transparently using this certificate?

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@lukemerryDHCS lukemerryDHCS added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Sep 4, 2020
@lukemerryDHCS lukemerryDHCS changed the title [aws-lambda-nodejs] Using NodeJSLambda construct behind corporate firewall [aws-lambda-nodejs] Using NodeJSFunction construct behind corporate firewall Sep 4, 2020
@eladb
Copy link
Contributor

eladb commented Sep 8, 2020

@jogold wdyt?

@eladb eladb added effort/small Small work item – less than a day of effort p2 labels Sep 8, 2020
@jogold
Copy link
Contributor

jogold commented Sep 8, 2020
edited
Loading

@eladb we can easily support this like this I think:

ARG STRICT_SSL=true
ENV npm_config_strict_ssl=$STRICT_SSL

then

new lambda.NodejsFunction(this, 'my-handler', {
  buildArgs: {
    STRICT_SSL: 'false',
  },
});

@lukemerryDHCS using a HTTPS proxy is not a solution for you?

new lambda.NodejsFunction(this, 'my-handler', {
  buildArgs: {
    HTTPS_PROXY: 'https://127.0.0.1:3001',
  },
});

@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Sep 8, 2020
@lukemerryDHCS
Copy link
Author

@jogold I don't think so. My organization decrypts and reencrypts everything with a self-signed certificate, but as far as I'm aware there is not a proxy available. We typically have to set each command line tool (npm, .net core cli, git, etc) to trust the self-signed cert, and docker is always an extra headache since it has to be done inside the running container as well.

@lukemerryDHCS
Copy link
Author

Another approach that I think could be useful would be to provide a parameter to override the build image. This could be a nice way of getting around this problem while also adding more versatility to the construct.

@jogold
Copy link
Contributor

jogold commented Sep 9, 2020
edited
Loading

@eladb what do you say? add an option to disable SSL validation or to override the build image?

@hoegertn
Copy link
Contributor

hoegertn commented Sep 9, 2020
edited
Loading

I would prefer the custom build image.

  1. There will be other requests that we would need to handle then
  2. disabling SSL is a nightmare from a security POV and I would not introduce this to the world for some corner case.

jogold added a commit to jogold/aws-cdk that referenced this issue Sep 9, 2020
@jogold
feat(lambda-nodejs): custom bundling image
750dd99 
Add option to supply a custom bundling image.

Closes aws#10194
@jogold jogold mentioned this issue Sep 9, 2020
Merged
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Sep 9, 2020
@mergify mergify bot closed this as completed in #10270 Sep 14, 2020
mergify bot pushed a commit that referenced this issue Sep 14, 2020
@jogold
feat(lambda-nodejs): custom bundling image (#10270)
a2174a4 
Add option to supply a custom bundling image.

Closes #10194


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eladb eladb

Labels
@aws-cdk/aws-lambda-nodejs effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(lambda-nodejs): custom bundling image jogold/aws-cdk
5 participants
@eladb @hoegertn @jogold @SomayaB @lukemerryDHCS