{"id":20579194,"url":"https://github.com/fvinas/tf_aws_lambda_ip_whitelist","last_synced_at":"2025-04-14T19:20:59.781Z","repository":{"id":215118586,"uuid":"119401766","full_name":"fvinas/tf_aws_lambda_ip_whitelist","owner":"fvinas","description":"An AWS Lambda-based mechanism to allow temporary IP whitelisting via security groups","archived":false,"fork":false,"pushed_at":"2018-02-13T14:55:22.000Z","size":48,"stargazers_count":6,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-28T07:41:29.901Z","etag":null,"topics":["aws-ec2","aws-lambda","aws-security-group","infrastructure","lambda-functions","security","terraform-module","whitelist"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fvinas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-01-29T15:33:37.000Z","updated_at":"2022-04-27T06:00:51.000Z","dependencies_parsed_at":"2024-01-02T16:49:56.021Z","dependency_job_id":null,"html_url":"https://github.com/fvinas/tf_aws_lambda_ip_whitelist","commit_stats":null,"previous_names":["fvinas/tf_aws_lambda_ip_whitelist"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fvinas%2Ftf_aws_lambda_ip_whitelist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fvinas%2Ftf_aws_lambda_ip_whitelist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fvinas%2Ftf_aws_lambda_ip_whitelist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fvinas%2Ftf_aws_lambda_ip_whitelist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fvinas","download_url":"https://codeload.github.com/fvinas/tf_aws_lambda_ip_whitelist/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248943427,"owners_count":21186958,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-ec2","aws-lambda","aws-security-group","infrastructure","lambda-functions","security","terraform-module","whitelist"],"created_at":"2024-11-16T06:16:03.894Z","updated_at":"2025-04-14T19:20:59.763Z","avatar_url":"https://github.com/fvinas.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tf_aws_lambda_ip_whitelist \n\n## Lambda-based mechanism to temporarily whitelist IP addresses in security groups ingress rules\n\nThis Terraform module for AWS allows you to set up a self-managed, temporary, IP whitelisting security policy via security groups and to provide end users with high-level commands to run from where they are (home, hotel, …) to grant a temporary network access to the infrastructure (can be SSH, HTTPS or whatever port), meanwhile keeping the infrastructure secure (access through a whitelist the rest of the time) and automated (rules expiration and cleaning is automated).\n\n```shell\n# Retrieves my public IP address and authorizes it for 1 day on the selected target IP \u0026 ports\n./allow_ip bob\nIP address now authorized! 😀\n```\n\nThis module will provision two lambda functions:\n- `lambda_add_rule`, whose role is to add entries in a given security group\n- `lambda_clean_rules`, whose role is to periodically clean expired entries in the security group\n\nA common use case this two-fold lambda mechanism allows you to run is a \"deny by default\" SSH or HTTPS access policy, where you temporarily register your origin IP address in the SG via a lambda function.\n\nFeel free to fork and file a PR to fit it with your needs (UDP…)\n\n## Inputs\n\n  * `region` - AWS region code (required)\n  * `security_group_id` - The id of the security group the lambdas will add rules to or remove rules from (required)\n  * `port` - The TCP port(s) on which ingress traffic will be authorized (optional, defaults to `22`, SSH). Can be provided as a single port (e.g. `'22'`), as a list of ports (e.g. `'22;80;443'`) or as a port range (e.g. `'3000-4000'`).\n  * `name` - Name to be used as a basename on all the resources identifiers (optional, defaults to `'TF_AWS_LAMBDA_IP_WHITELIST'`)\n  * `expiry_duration` - The duration after which a rule will be considered expired (in minutes, optional, defaults to `'1440'`, 1 day)\n  * `cleaning_rate` - The rate at which `lambda_clean_rules` will be launched. This is an AWS CloudWatch Events rate expression. (optional, defaults to `'cron(0 0/2 * * ? *)'` - every 2 hours)\n\n## Outputs\n\n  * `lambda_add_rule_arn`: ARN of the entry-point Lambda, so that you provide the rights accordingly to the users allowed to run it.\n  * `lambda_add_rule_function_name`: Name of the entry-point Lambda, that you may use to invoke the function.\n\n## Usage\n\n### Shell script, client side\n\nThis is an example of script that you may set up and provide to your users for them to have a way to whitelist their current IP address.\n\nIt can be called, for instance, via:\n\n```shell\n./example.py Bob\n```\n\n```python\n#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n\n# System\nimport sys\nimport json\nimport base64\nimport requests\n\n# Third party\nimport boto3\n\nFUNCTION_NAME = 'TF_AWS_LAMBDA_IP_WHITELIST-ip-whitelisting-lambda-add-rule'\nREGION = 'us-east-1'\n\n\ndef get_public_ip():\n    \"\"\"Helper to retrieve current public IP address.\"\"\"\n    AMAZON_CHECKIP_URL = 'http://checkip.amazonaws.com/'\n\n    response = requests.get(AMAZON_CHECKIP_URL)\n    response.raise_for_status()\n    return response.content.strip()\n\n\ndef main():\n    client = boto3.client('lambda', region_name=REGION)\n\n    user = sys.argv[1]\n\n    # Lambda invocation\n    response = client.invoke(\n        FunctionName=FUNCTION_NAME,\n        InvocationType='RequestResponse',\n        LogType='Tail',\n        Payload=json.dumps({\n            'user': user,\n            'ip': get_public_ip()\n        })\n    )\n    if 'FunctionError' in response:\n        print('Error while authorizing the IP address 🙁')\n        print(base64.b64decode(response['LogResult']))\n    else:\n        print('IP address now authorized! 😀')\n        print(base64.b64decode(response['LogResult']))\n\n\nif __name__ == '__main__':\n    main()\n\n```\n\n### Terraform code, infrastructure definition side\n\nTODO: example code to add lambda invoke permissions\n\n```hcl\n\nresource \"aws_security_group\" \"my_sg\" {\n    ...\n}\n\nmodule \"ssh_whitelisting_mechanism\" {\n    source            = \"github.com/fvinas/tf_aws_lambda_ip_whitelist\"\n    security_group_id = \"${aws_security_group.my_sg.id}\"\n    port              = \"22;80;443\"\n    region            = \"us-east-1\"\n}\n\nresource \"aws_iam_policy\" \"whitelisting_lambda_policy\" {\n  name        = \"WhitelistingLambdaPolicy\"\n  path        = \"/\"\n  description = \"Allow users to invoke the whitelisting lambda function.\"\n\n  policy = \u003c\u003cEOF_POLICY\n{\n     \"Version\": \"2012-10-17\",\n     \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": [\n              \"lambda:Invoke\"\n            ],\n            \"Resource\": [\n                \"${module.ssh_whitelisting_mechanism.lambda_add_rule_arn}\"\n            ]\n        }\n      ]\n}\nEOF_POLICY\n}\n```\n\n## Next steps\n\n- create a SG directly the module (but adds complexity in the input parameters: VPC, etc.)\n- support for non IAM users\n- integrate Lambda behind an API Gateway\n- support for ipv6 rules\n- support for ranges of IPs\n- support for UDP\n\n## Authors\n\nOriginally created and maintained by [Fabien Vinas](https://github.com/fvinas)\n\n## License\n\nApache 2 Licensed. See LICENSE for full details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffvinas%2Ftf_aws_lambda_ip_whitelist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffvinas%2Ftf_aws_lambda_ip_whitelist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffvinas%2Ftf_aws_lambda_ip_whitelist/lists"}