Skip to content

Commit

Permalink
fix(aws-lambda): aws lambda service cache by service related fields (#…
Browse files Browse the repository at this point in the history
…11805)

Cache the aws lambda service by composing a cache key using the service related fields, so that service object can be reused between plugins and vault refresh can take effect when key/secret is rotated

* fix(aws-lambda): aws lambda service cache by service related fields

* tests(aws-lambda): add test for checking service cache refresh when vault rotates

* style(*): lint

Fix KAG-2832
  • Loading branch information
windmgc committed Nov 2, 2023
1 parent f406263 commit eaf17ee
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 4 deletions.
3 changes: 3 additions & 0 deletions changelog/unreleased/kong/aws_lambda_service_cache.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
message: Cache the AWS lambda service by those lambda service related fields
type: bugfix
scope: Plugin
35 changes: 31 additions & 4 deletions kong/plugins/aws-lambda/handler.lua
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
-- Copyright (C) Kong Inc.

local fmt = string.format
local ngx_var = ngx.var
local ngx_now = ngx.now
local ngx_update_time = ngx.update_time
local md5_bin = ngx.md5_bin
local fmt = string.format
local buffer = require "string.buffer"
local lrucache = require "resty.lrucache"

local kong = kong
local meta = require "kong.meta"
Expand All @@ -22,7 +25,7 @@ local AWS_REGION do
AWS_REGION = os.getenv("AWS_REGION") or os.getenv("AWS_DEFAULT_REGION")
end
local AWS
local LAMBDA_SERVICE_CACHE = setmetatable({}, { __mode = "k" })
local LAMBDA_SERVICE_CACHE


local function get_now()
Expand All @@ -32,11 +35,34 @@ end


local function initialize()
LAMBDA_SERVICE_CACHE = lrucache.new(1000)
AWS_GLOBAL_CONFIG = aws_config.global
AWS = aws()
initialize = nil
end

local build_cache_key do
-- Use AWS Service related config fields to build cache key
-- so that service object can be reused between plugins and
-- vault refresh can take effect when key/secret is rotated
local SERVICE_RELATED_FIELD = { "timeout", "keepalive", "aws_key", "aws_secret",
"aws_assume_role_arn", "aws_role_session_name",
"aws_region", "host", "port", "disable_https",
"proxy_url", "aws_imds_protocol_version" }

build_cache_key = function (conf)
local cache_key_buffer = buffer.new(100):reset()
for _, field in ipairs(SERVICE_RELATED_FIELD) do
local v = conf[field]
if v then
cache_key_buffer:putf("%s=%s;", field, v)
end
end

return md5_bin(cache_key_buffer:get())
end
end


local AWSLambdaHandler = {
PRIORITY = 750,
Expand All @@ -62,7 +88,8 @@ function AWSLambdaHandler:access(conf)
local scheme = conf.disable_https and "http" or "https"
local endpoint = fmt("%s://%s", scheme, host)

local lambda_service = LAMBDA_SERVICE_CACHE[conf]
local cache_key = build_cache_key(conf)
local lambda_service = LAMBDA_SERVICE_CACHE:get(cache_key)
if not lambda_service then
local credentials = AWS.config.credentials
-- Override credential config according to plugin config
Expand Down Expand Up @@ -132,7 +159,7 @@ function AWSLambdaHandler:access(conf)
http_proxy = conf.proxy_url,
https_proxy = conf.proxy_url,
})
LAMBDA_SERVICE_CACHE[conf] = lambda_service
LAMBDA_SERVICE_CACHE:set(cache_key, lambda_service)
end

local upstream_body_json = build_request_payload(conf)
Expand Down

0 comments on commit eaf17ee

Please sign in to comment.