Support configuring number of provisioned concurrent lambdas#141
Support configuring number of provisioned concurrent lambdas#141Piccirello wants to merge 3 commits intofivexl:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Piccirello
force-pushed
the
no-more-cold-starts
branch
2 times, most recently
from
ab376d0 to
f9e193d
Compare
Piccirello
force-pushed
the
no-more-cold-starts
branch
from
f9e193d to
7c7084d
Compare
Piccirello
force-pushed
the
no-more-cold-starts
branch
from
7c7084d to
6c5b754
Compare
Piccirello
force-pushed
the
no-more-cold-starts
branch
from
6c5b754 to
0ebc02b
Compare
This has been deprecated since 1.4.0. Use of API gateway ensures request rate limits apply.
This can help reduce cold starts by keeping some number of lambdas provisioned.
Piccirello
force-pushed
the
no-more-cold-starts
branch
from
0ebc02b to
44ebf97
Compare
|
The cursor bot is finally happy 😭 |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
|
|
||
| revoker_lambda_arn = "arn:aws:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.revoker_lambda_name}" | ||
| requester_lambda_arn = "arn:aws:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.requester_lambda_name}" | ||
| requester_lambda_arn = var.slack_handler_provisioned_concurrent_executions > 0 ? "arn:aws:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.requester_lambda_name}:live" : "arn:aws:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.requester_lambda_name}" |
There was a problem hiding this comment.
IAM self-invocation permission may fail with provisioned concurrency
Medium Severity
When provisioned concurrency is enabled, local.requester_lambda_arn includes the :live alias suffix. The IAM GetInvokeSelf statement (line 140) uses this ARN, so it only allows invocation of function:access-requester:live. If the Lambda code invokes itself using just the function name (e.g., via AWS_LAMBDA_FUNCTION_NAME), the invocation would target function:access-requester and be denied by IAM.
Additional Locations (1)
|
@Piccirello thanks for the PR we will look into it tomorrow |
2 participants
This change allows users to configure a minimum number of provisioned access requester lambdas. The ultimate goal is reducing cold starts and increasing the speed with which the Slack modal is shown. This also removes the long deprecated
create_lambda_urlinput.Note
Medium Risk
Changes Lambda invocation wiring (API Gateway integration ARN and trigger permissions) and introduces provisioned concurrency/aliasing, which can break Slack request routing if misconfigured.
Overview
Adds a new
slack_handler_provisioned_concurrent_executionsinput to optionally enable provisioned concurrency for the access-requester (Slack handler) Lambda, creating alivealias and attaching API Gateway invoke permissions to the alias when enabled.Removes the deprecated
create_lambda_url/Lambda Function URL path (including related outputs/docs/examples), standardizing Slack integration on the API Gatewayrequester_api_endpoint_urloutput and updating API Gateway integration to target the alias ARN when provisioned concurrency is used.Written by Cursor Bugbot for commit 44ebf97. This will update automatically on new commits. Configure here.