You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+5-6Lines changed: 5 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,22 +2,21 @@
2
2
3
3
Deploy a Lambda function within your infrastructure to enable users to decrypt sensitive data from their browser.
4
4
5
-
Once deployed you will be able to use the API URL provided by the AWS API Gateway and add the URL as a decryptor URI for
5
+
Once deployed, you will be able to use the API URL provided by the AWS API Gateway and add the URL as a decryptor URI for
6
6
a Formal Encryption Key.
7
7
8
8
**Note: we highly encourage making sure the API Gateway is only accessible via a VPN to prevent users outside of your organization from making requests to the /decrypt endpoint.**
9
9
10
10
There are three deployment methods: Terraform, Serverless (via Cloudformation), and Docker.
11
11
12
-
## Deploying via Terraform
12
+
## Deploying via Terraform (Recommended)
13
13
14
14
To deploy via Terraform, we recommend incorporating the configuration template provided in the `terraform` directory into your Terraform setup.
15
-
To deploy the configuration as-is, run `make deploy-terraform` with your AWS credentials and with the Terraform CLI installed.
15
+
To deploy the configuration as-is, run `make deploy-terraform` with your AWS credentials and with the Terraform CLI installed. This deployment deploys the API Gateway and Lambda in a *private* subnet within your VPC.
16
16
17
-
## Deploying via Serverless.
18
-
19
-
To deploy via Serverless, run `make deploy-sls` with your Serverless credentials. Note: you will need a Serverless licesnse and the Serverless CLI installed.
17
+
## Deploying via Serverless
20
18
19
+
To deploy via Serverless, run `make deploy-sls` with your Serverless credentials. Note: you will need a Serverless licesnse, AWS Account, and the Serverless CLI installed. This deployment deploys the API Gateway and Lambda *publicly.*
Copy file name to clipboardExpand all lines: serverless/README.md
+13Lines changed: 13 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,18 @@
1
1
# Serverless Deployment Guide
2
2
3
+
## Prerequisites
4
+
5
+
- A Serverless license
6
+
- The Serverless CLI (`npm i -E serverless@4.21.1 -g`)
7
+
- AWS Credentials with the ability to deploy API Gateways, Lambdas, EC2 instances and the associated networking.
8
+
9
+
10
+
## A note about private deployments
11
+
12
+
This configuration deploys an AWS Lambda and API Gateway on the public internet. Instead, we recommend modifying this configuration to deploy this in a private subnet and require access to the endpoint via a VPN.
13
+
14
+
## Deployment steps
15
+
3
16
To deploy using the Serverless framework, run the following commands:
-**IAM Role**: `decrypt-lambda-role` with KMS decrypt permissions
77
-
-**API Gateway**: REST API with POST /decrypt endpoint
78
-
-**CORS Configuration**: Configured for https://app.joinformal.com (or custom origin)
36
+
-**Lambda Function**: `decrypt-lambda` (or custom name) deployed in private subnets
37
+
-**IAM Role**: `decrypt-lambda-role` with KMS decrypt and VPC access permissions
38
+
-**API Gateway**: Private REST API with POST /decrypt endpoint
39
+
-**VPC Endpoint**: Interface endpoint for API Gateway execute-api service
40
+
-**Security Groups**:
41
+
- Lambda security group with egress to all
42
+
- API Gateway VPC endpoint security group with ingress on port 443 from VPC CIDR
43
+
-**CORS Configuration**: Configured for https://app.joinformal.coms
79
44
-**CloudWatch Log Group**: For Lambda function logs
80
45
81
-
## Updating the Lambda Function
46
+
## VPC Configuration
82
47
83
-
After making changes to your code:
48
+
This deployment creates a **private API Gateway** accessible only from within the VPC. The Lambda function runs in private subnets and connects to API Gateway through a VPC endpoint.
84
49
85
-
1. Rebuild the bootstrap binary
86
-
2. Recreate the zip file: `zip bootstrap.zip bootstrap`
87
-
3. Run `terraform apply` to update the Lambda function
50
+
### VPC Requirements
88
51
89
-
## Cleanup
52
+
-**VPC ID**: An existing VPC where resources will be deployed
53
+
-**Private Subnets**: At least 2 private subnets (recommended for high availability)
54
+
- Subnets should have routes to a NAT Gateway if the Lambda needs internet access
55
+
- Subnets should be in different Availability Zones for resilience
56
+
-**VPC Endpoints**: The terraform configuration automatically creates the required API Gateway execute-api endpoint
90
57
91
-
To destroy all resources:
58
+
### Network Architecture
92
59
93
-
```bash
94
-
terraform destroy
95
60
```
61
+
Client (within VPC) → VPC Endpoint (execute-api) → Private API Gateway → Lambda (in private subnet)
62
+
```
63
+
64
+
The API Gateway is not accessible from the public internet. We recommend requiring access through a VPN so that users can access the API Gateway from their browsers.
96
65
97
66
## Variables
98
67
99
-
| Variable | Description | Default |
100
-
|----------|-------------|---------|
101
-
|`aws_region`| AWS region to deploy resources |`us-east-1`|
102
-
|`function_name`| Name of the Lambda function |`decrypt-lambda`|
103
-
|`stage_name`| API Gateway stage name |`prod`|
104
-
|`kms_key_arn`| ARN for KMS key we're using to decrypt | `` |
105
-
|`log_retention_days`| CloudWatch log retention in days |`14`|
68
+
| Variable | Description | Default | Required |
69
+
|----------|-------------|---------|----------|
70
+
|`aws_region`| AWS region to deploy resources |`us-east-1`| No |
71
+
|`function_name`| Name of the Lambda function |`decrypt-lambda`| No |
72
+
|`stage_name`| API Gateway stage name |`prod`| No |
73
+
|`kms_key_arn`| ARN for KMS key we're using to decrypt | - | Yes |
74
+
|`vpc_id`| VPC ID where Lambda and API Gateway will be deployed | - | Yes |
75
+
|`private_subnet_ids`| List of private subnet IDs (recommend 2+) | - | Yes |
76
+
|`log_retention_days`| CloudWatch log retention in days |`14`| No |
106
77
107
78
## Outputs
108
79
@@ -114,3 +85,7 @@ terraform destroy
114
85
|`lambda_function_arn`| Lambda function ARN |
115
86
|`lambda_role_arn`| Lambda IAM role ARN |
116
87
|`cloudwatch_log_group_name`| CloudWatch Log Group name |
88
+
|`vpc_endpoint_id`| VPC Endpoint ID for API Gateway |
89
+
|`vpc_endpoint_dns_entries`| DNS entries for the VPC endpoint |
90
+
|`vpc_endpoint_private_ips`| Private IP addresses of the VPC endpoint|
91
+
|`access_instructions`| Instructions for accessing the private API |
0 commit comments