Merge pull request #59 from hablutzel1/eventbridge-warmer

Introduce a Lambda function warmer to mitigate cold starts

Author: birgelee

configure.py

@@ -144,9 +144,7 @@ def main(raw_args=None):
         # Iterate through the different regions specified and produce an output file for each region.
         for region in config['perspectives']:
             aws_perspective_tf_region = aws_perspective_tf.replace("{{region}}", region)
-            
-            # Replace the deployment id.
-            aws_perspective_tf_region = aws_perspective_tf_region.replace("{{deployment-id}}", str(deployment_id))
+
             # Construct the default CAA domain list.
             default_caa_domains_list = "|".join(config['caa-domains'])
             aws_perspective_tf_region = aws_perspective_tf_region.replace("{{default-caa-domains}}", f"\"{default_caa_domains_list}\"")

open-tofu/aws-perspective.tf.template

@@ -1,7 +1,7 @@
 # Each layer must be created in the region of the functions.
 resource "aws_lambda_layer_version" "python3_open_mpic_layer_{{region}}" {
     filename            = "../layer/python3_layer_content.zip"
-    layer_name          = "python3_open_mpic_layer_{{region}}_{{deployment-id}}"
+    layer_name          = "python3_open_mpic_layer_{{region}}_${local.deployment_id}"
     source_code_hash    = "${filebase64sha256("../layer/python3_layer_content.zip")}"
     compatible_runtimes = ["python3.11"]
     provider = aws.{{region}}
@@ -197,7 +197,7 @@ resource "aws_route53_resolver_dnssec_config" "dnssec_config_{{region}}" {
 
 resource "aws_lambda_function" "mpic_dcv_checker_lambda_{{region}}" {
     filename      = "../{{source-path}}/mpic_dcv_checker_lambda/mpic_dcv_checker_lambda.zip"
-    function_name = "open_mpic_dcv_checker_lambda_{{region}}_{{deployment-id}}"
+    function_name = "open_mpic_dcv_checker_lambda_{{region}}_${local.deployment_id}"
     role          = aws_iam_role.open_mpic_lambda_role.arn
     depends_on = [
       aws_iam_role.open_mpic_lambda_role,
@@ -228,7 +228,7 @@ resource "aws_lambda_function" "mpic_dcv_checker_lambda_{{region}}" {
 
 resource "aws_lambda_function" "mpic_caa_checker_lambda_{{region}}" {
     filename      = "../{{source-path}}/mpic_caa_checker_lambda/mpic_caa_checker_lambda.zip"
-    function_name = "open_mpic_caa_checker_lambda_{{region}}_{{deployment-id}}"
+    function_name = "open_mpic_caa_checker_lambda_{{region}}_${local.deployment_id}"
     role          = aws_iam_role.open_mpic_lambda_role.arn
     depends_on = [
       aws_iam_role.open_mpic_lambda_role,

open-tofu/eventbridge_warmer.tf

@@ -0,0 +1,102 @@
+resource "aws_scheduler_schedule" "open_mpic_warmer_schedule" {
+  for_each = {
+    for k, v in {
+      # TODO instead of using valid MPIC requests, evaluate to modify the coordinator Lambda to receive an especial parameter to trigger the warmup of all the perspectives. That would simplify things by requiring a single warmer, instead of two, as now.
+      caa = {
+        check_type          = "caa"
+        domain_or_ip_target = "invalid"
+        orchestration_parameters = {
+          perspective_count = length(keys(local.perspectives))
+        }
+      }
+      dcv = {
+        check_type          = "dcv"
+        domain_or_ip_target = "invalid"
+        dcv_check_parameters = {
+          validation_method = "dns-change"
+          dns_record_type   = "TXT"
+          challenge_value   = "dummy"
+        }
+        orchestration_parameters = {
+          perspective_count = length(keys(local.perspectives))
+        }
+      }
+    } : k => v if var.eventbridge_warmer_enabled
+  }
+  name       = "open-mpic-${each.key}-warmer-schedule-${local.deployment_id}"
+  group_name = "default"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  schedule_expression = "rate(5 minutes)"
+
+  target {
+    arn      = aws_lambda_function.mpic_coordinator_lambda.arn
+    role_arn = aws_iam_role.open_mpic_warmer_role[0].arn
+    input = jsonencode({
+      resource   = "/dummy",
+      path       = "/dummy",
+      httpMethod = "POST",
+      headers = {},
+      multiValueHeaders = {},
+      requestContext = {
+        accountId = "dummy",
+        apiId     = "dummy",
+        stage     = "dummy",
+        protocol  = "dummy",
+        identity = {
+          sourceIp = "0.0.0.0"
+        },
+        requestId        = "dummy",
+        requestTime      = "dummy",
+        requestTimeEpoch = 0,
+        resourcePath     = "dummy",
+        httpMethod       = "POST",
+        path             = "dummy"
+      },
+      body = jsonencode(each.value)
+    })
+  }
+}
+
+resource "aws_iam_role" "open_mpic_warmer_role" {
+  count = var.eventbridge_warmer_enabled ? 1 : 0
+  name  = "open-mpic-warmer-role-${local.deployment_id}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "scheduler.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "open_mpic_warmer_role_policy" {
+  count  = var.eventbridge_warmer_enabled ? 1 : 0
+  name   = "open-mpic-warmer-role-policy-${local.deployment_id}"
+  role   = aws_iam_role.open_mpic_warmer_role[0].name
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "lambda:InvokeFunction",
+      "Resource": [
+        "${aws_lambda_function.mpic_coordinator_lambda.arn}"
+      ],
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}

open-tofu/main.tf.template

@@ -4,25 +4,30 @@ provider "aws" {
   profile                 = "default"
 }
 
+locals {
+  deployment_id = {{deployment-id}}
+  perspectives = {{perspectives}}
+}
+
 # Python open-mpic layer (contains third party libraries)
 resource "aws_lambda_layer_version" "python3_open_mpic_layer" {
     filename            = "../layer/python3_layer_content.zip"
-    layer_name          = "python3_open_mpic_layer_{{deployment-id}}"
+    layer_name          = "python3_open_mpic_layer_${local.deployment_id}"
     source_code_hash    = "${filebase64sha256("../layer/python3_layer_content.zip")}"
     compatible_runtimes = ["python3.11"]
 }
 
 # Mpic Coordinator layer for the mpic coordinator lambda (contains supporting first-party source code)
 resource "aws_lambda_layer_version" "mpic_coordinator_layer" {
     filename            = "../layer/mpic_coordinator_layer_content.zip"
-    layer_name          = "mpic_coordinator_layer_{{deployment-id}}"
+    layer_name          = "mpic_coordinator_layer_${local.deployment_id}"
     source_code_hash    = "${filebase64sha256("../layer/mpic_coordinator_layer_content.zip")}"
     compatible_runtimes = ["python3.11"]
 }
 
 # Provide an IAM role for the functions to run under.
 resource "aws_iam_role" "open_mpic_lambda_role" {
-  name = "open-mpic-lambda-role-{{deployment-id}}"
+  name = "open-mpic-lambda-role-${local.deployment_id}"
 
   assume_role_policy = <<EOF
 {
@@ -67,7 +72,7 @@ resource "aws_iam_role_policy_attachment" "invoke-lambda-policy-attach" {
 # Init the mpic coordinator lambda.
 resource "aws_lambda_function" "mpic_coordinator_lambda" {
     filename      = "../{{source-path}}/mpic_coordinator_lambda/mpic_coordinator_lambda.zip"
-    function_name = "open_mpic_lambda_coordinator_{{deployment-id}}"
+    function_name = "open_mpic_lambda_coordinator_${local.deployment_id}"
     role          = aws_iam_role.open_mpic_lambda_role.arn
     handler       = "mpic_coordinator_lambda_function.lambda_handler"
     source_code_hash = filebase64sha256("../{{source-path}}/mpic_coordinator_lambda/mpic_coordinator_lambda.zip")
@@ -81,7 +86,7 @@ resource "aws_lambda_function" "mpic_coordinator_lambda" {
     ]
     environment {
       variables = {
-        perspectives = jsonencode({{perspectives}})
+        perspectives = jsonencode(local.perspectives)
         default_perspective_count = {{default-perspective-count}}
         hash_secret = {{hash-secret}}
         {{absolute-max-attempts-with-key}}
@@ -91,7 +96,7 @@ resource "aws_lambda_function" "mpic_coordinator_lambda" {
 }
 
 resource "aws_api_gateway_rest_api" "open_mpic_api" {
-  name = "open-mpic-api-{{deployment-id}}"
+  name = "open-mpic-api-${local.deployment_id}"
   description = "Open MPIC API Gateway"
   endpoint_configuration {
     types = ["EDGE"]
@@ -121,7 +126,7 @@ resource "aws_lambda_permission" "lambda_permission_api" {
 
 # Set up the API key for the API.
 resource "aws_api_gateway_api_key" "open_mpic" {
-  name = "open_mpic-{{deployment-id}}"
+  name = "open_mpic-${local.deployment_id}"
 }
 
 resource "aws_api_gateway_usage_plan_key" "prod_usage_key" {

open-tofu/variables.tf

@@ -15,3 +15,9 @@ variable "perspective_memory_size" {
   description = "MPIC Perspective Lambda Function Memory"
   default     = 256
 }
+
+variable "eventbridge_warmer_enabled" {
+  type        = bool
+  description = "Enable EventBridge warmer to try to keep Lambda functions warm. See https://aws.amazon.com/pt/blogs/compute/operating-lambda-performance-optimization-part-1/, \"Understanding how functions warmers work\""
+  default     = false
+}

src/aws_lambda_mpic/__about__.py

@@ -1 +1 @@
-__version__ = "1.0.5"
+__version__ = "1.0.6"