fix: invoke scan files API via its function url (#554)

Update the S3 scan object lambda function to invoke the scan file API using its function URL. This will bypass CloudFront and avoid any timeouts related to slow response times from the API which will happen under heavy load.
cds-snc · Mar 1, 2023 · c855338 · c855338
1 parent 1a70764
commit c855338
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 1 deletion.
diff --git a/terragrunt/aws/api/outputs.tf b/terragrunt/aws/api/outputs.tf
@@ -30,6 +30,11 @@ output "function_role_arn" {
   value = "arn:aws:iam::${var.account_id}:role/${module.api.function_name}"
 }
 
+output "function_url" {
+  value     = aws_lambda_function_url.scan_files_url.function_url
+  sensitive = true
+}
+
 output "invoke_arn" {
   value = module.api.invoke_arn
 }

diff --git a/terragrunt/aws/s3_scan_object/inputs.tf b/terragrunt/aws/s3_scan_object/inputs.tf
@@ -12,3 +12,9 @@ variable "scan_files_api_key_secret_arn" {
   description = "ARN of the Scan Files API key secret"
   type        = string
 }
+
+variable "scan_files_api_function_url" {
+  description = "URL of the Scan Files API function"
+  type        = string
+  sensitive   = true
+}
diff --git a/terragrunt/aws/s3_scan_object/lambda.tf b/terragrunt/aws/s3_scan_object/lambda.tf
@@ -9,7 +9,7 @@ module "s3_scan_object" {
 
   environment_variables = {
     LOGGING_LEVEL                 = "warn"
-    SCAN_FILES_URL                = "https://${var.domain}"
+    SCAN_FILES_URL                = var.scan_files_api_function_url
     SCAN_FILES_API_KEY_SECRET_ARN = var.scan_files_api_key_secret_arn
     SNS_SCAN_COMPLETE_TOPIC_ARN   = aws_sns_topic.scan_complete.arn
   }

diff --git a/terragrunt/env/production/s3_scan_object/terragrunt.hcl b/terragrunt/env/production/s3_scan_object/terragrunt.hcl
@@ -14,13 +14,15 @@ dependency "api" {
   mock_outputs = {
     function_name                 = ""
     function_role_arn             = ""
+    function_url                  = "http://localhost"
     scan_files_api_key_secret_arn = ""
   }
 }
 
 inputs = {
   scan_files_api_function_role_arn  = dependency.api.outputs.function_role_arn
   scan_files_api_function_role_name = dependency.api.outputs.function_name
+  scan_files_api_function_url       = dependency.api.outputs.function_url
   scan_files_api_key_secret_arn     = dependency.api.outputs.scan_files_api_key_secret_arn
 }
 

diff --git a/terragrunt/env/staging/s3_scan_object/terragrunt.hcl b/terragrunt/env/staging/s3_scan_object/terragrunt.hcl
@@ -14,13 +14,15 @@ dependency "api" {
   mock_outputs = {
     function_name                 = ""
     function_role_arn             = ""
+    function_url                  = "http://localhost"
     scan_files_api_key_secret_arn = ""
   }
 }
 
 inputs = {
   scan_files_api_function_role_arn  = dependency.api.outputs.function_role_arn
   scan_files_api_function_role_name = dependency.api.outputs.function_name
+  scan_files_api_function_url       = dependency.api.outputs.function_url
   scan_files_api_key_secret_arn     = dependency.api.outputs.scan_files_api_key_secret_arn
 }