From 7efdc7e9129048f05948a26811d62afbd5e97240 Mon Sep 17 00:00:00 2001
From: Jaime Hablutzel <hablutzel1@gmail.com>
Date: Sat, 3 May 2025 18:36:06 -0500
Subject: [PATCH 1/2] Add EventBridge warmer configuration.

---
 configure.py                          |   4 +-
 open-tofu/aws-perspective.tf.template |   6 +-
 open-tofu/eventbridge_warmer.tf       | 102 ++++++++++++++++++++++++++
 open-tofu/main.tf.template            |  19 +++--
 open-tofu/variables.tf                |   6 ++
 5 files changed, 124 insertions(+), 13 deletions(-)
 create mode 100644 open-tofu/eventbridge_warmer.tf

diff --git a/configure.py b/configure.py
index 2739745..1d74cc5 100755
--- a/configure.py
+++ b/configure.py
@@ -144,9 +144,7 @@ def main(raw_args=None):
         # Iterate through the different regions specified and produce an output file for each region.
         for region in config['perspectives']:
             aws_perspective_tf_region = aws_perspective_tf.replace("{{region}}", region)
-            
-            # Replace the deployment id.
-            aws_perspective_tf_region = aws_perspective_tf_region.replace("{{deployment-id}}", str(deployment_id))
+
             # Construct the default CAA domain list.
             default_caa_domains_list = "|".join(config['caa-domains'])
             aws_perspective_tf_region = aws_perspective_tf_region.replace("{{default-caa-domains}}", f"\"{default_caa_domains_list}\"")
diff --git a/open-tofu/aws-perspective.tf.template b/open-tofu/aws-perspective.tf.template
index 9a6b8f6..cc5ef47 100644
--- a/open-tofu/aws-perspective.tf.template
+++ b/open-tofu/aws-perspective.tf.template
@@ -1,7 +1,7 @@
 # Each layer must be created in the region of the functions.
 resource "aws_lambda_layer_version" "python3_open_mpic_layer_{{region}}" {
     filename            = "../layer/python3_layer_content.zip"
-    layer_name          = "python3_open_mpic_layer_{{region}}_{{deployment-id}}"
+    layer_name          = "python3_open_mpic_layer_{{region}}_${local.deployment_id}"
     source_code_hash    = "${filebase64sha256("../layer/python3_layer_content.zip")}"
     compatible_runtimes = ["python3.11"]
     provider = aws.{{region}}
@@ -197,7 +197,7 @@ resource "aws_route53_resolver_dnssec_config" "dnssec_config_{{region}}" {
 
 resource "aws_lambda_function" "mpic_dcv_checker_lambda_{{region}}" {
     filename      = "../{{source-path}}/mpic_dcv_checker_lambda/mpic_dcv_checker_lambda.zip"
-    function_name = "open_mpic_dcv_checker_lambda_{{region}}_{{deployment-id}}"
+    function_name = "open_mpic_dcv_checker_lambda_{{region}}_${local.deployment_id}"
     role          = aws_iam_role.open_mpic_lambda_role.arn
     depends_on = [
       aws_iam_role.open_mpic_lambda_role,
@@ -228,7 +228,7 @@ resource "aws_lambda_function" "mpic_dcv_checker_lambda_{{region}}" {
 
 resource "aws_lambda_function" "mpic_caa_checker_lambda_{{region}}" {
     filename      = "../{{source-path}}/mpic_caa_checker_lambda/mpic_caa_checker_lambda.zip"
-    function_name = "open_mpic_caa_checker_lambda_{{region}}_{{deployment-id}}"
+    function_name = "open_mpic_caa_checker_lambda_{{region}}_${local.deployment_id}"
     role          = aws_iam_role.open_mpic_lambda_role.arn
     depends_on = [
       aws_iam_role.open_mpic_lambda_role,
diff --git a/open-tofu/eventbridge_warmer.tf b/open-tofu/eventbridge_warmer.tf
new file mode 100644
index 0000000..1f45ef9
--- /dev/null
+++ b/open-tofu/eventbridge_warmer.tf
@@ -0,0 +1,102 @@
+resource "aws_scheduler_schedule" "open_mpic_warmer_schedule" {
+  for_each = {
+    for k, v in {
+      # TODO instead of using valid MPIC requests, evaluate to modify the coordinator Lambda to receive an especial parameter to trigger the warmup of all the perspectives. That would simplify things by requiring a single warmer, instead of two, as now.
+      caa = {
+        check_type          = "caa"
+        domain_or_ip_target = "invalid"
+        orchestration_parameters = {
+          perspective_count = length(keys(local.perspectives))
+        }
+      }
+      dcv = {
+        check_type          = "dcv"
+        domain_or_ip_target = "invalid"
+        dcv_check_parameters = {
+          validation_method = "dns-change"
+          dns_record_type   = "TXT"
+          challenge_value   = "dummy"
+        }
+        orchestration_parameters = {
+          perspective_count = length(keys(local.perspectives))
+        }
+      }
+    } : k => v if var.eventbridge_warmer_enabled
+  }
+  name       = "open-mpic-${each.key}-warmer-schedule-${local.deployment_id}"
+  group_name = "default"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  schedule_expression = "rate(5 minutes)"
+
+  target {
+    arn      = aws_lambda_function.mpic_coordinator_lambda.arn
+    role_arn = aws_iam_role.open_mpic_warmer_role[0].arn
+    input = jsonencode({
+      resource   = "/dummy",
+      path       = "/dummy",
+      httpMethod = "POST",
+      headers = {},
+      multiValueHeaders = {},
+      requestContext = {
+        accountId = "dummy",
+        apiId     = "dummy",
+        stage     = "dummy",
+        protocol  = "dummy",
+        identity = {
+          sourceIp = "0.0.0.0"
+        },
+        requestId        = "dummy",
+        requestTime      = "dummy",
+        requestTimeEpoch = 0,
+        resourcePath     = "dummy",
+        httpMethod       = "POST",
+        path             = "dummy"
+      },
+      body = jsonencode(each.value)
+    })
+  }
+}
+
+resource "aws_iam_role" "open_mpic_warmer_role" {
+  count = var.eventbridge_warmer_enabled ? 1 : 0
+  name  = "open-mpic-warmer-role-${local.deployment_id}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "scheduler.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "open_mpic_warmer_role_policy" {
+  count  = var.eventbridge_warmer_enabled ? 1 : 0
+  name   = "open-mpic-warmer-role-policy-${local.deployment_id}"
+  role   = aws_iam_role.open_mpic_warmer_role[0].name
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "lambda:InvokeFunction",
+      "Resource": [
+        "${aws_lambda_function.mpic_coordinator_lambda.arn}"
+      ],
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
diff --git a/open-tofu/main.tf.template b/open-tofu/main.tf.template
index 7e209d0..c1ccfb7 100644
--- a/open-tofu/main.tf.template
+++ b/open-tofu/main.tf.template
@@ -4,10 +4,15 @@ provider "aws" {
   profile                 = "default"
 }
 
+locals {
+  deployment_id = {{deployment-id}}
+  perspectives = {{perspectives}}
+}
+
 # Python open-mpic layer (contains third party libraries)
 resource "aws_lambda_layer_version" "python3_open_mpic_layer" {
     filename            = "../layer/python3_layer_content.zip"
-    layer_name          = "python3_open_mpic_layer_{{deployment-id}}"
+    layer_name          = "python3_open_mpic_layer_${local.deployment_id}"
     source_code_hash    = "${filebase64sha256("../layer/python3_layer_content.zip")}"
     compatible_runtimes = ["python3.11"]
 }
@@ -15,14 +20,14 @@ resource "aws_lambda_layer_version" "python3_open_mpic_layer" {
 # Mpic Coordinator layer for the mpic coordinator lambda (contains supporting first-party source code)
 resource "aws_lambda_layer_version" "mpic_coordinator_layer" {
     filename            = "../layer/mpic_coordinator_layer_content.zip"
-    layer_name          = "mpic_coordinator_layer_{{deployment-id}}"
+    layer_name          = "mpic_coordinator_layer_${local.deployment_id}"
     source_code_hash    = "${filebase64sha256("../layer/mpic_coordinator_layer_content.zip")}"
     compatible_runtimes = ["python3.11"]
 }
 
 # Provide an IAM role for the functions to run under.
 resource "aws_iam_role" "open_mpic_lambda_role" {
-  name = "open-mpic-lambda-role-{{deployment-id}}"
+  name = "open-mpic-lambda-role-${local.deployment_id}"
 
   assume_role_policy = <<EOF
 {
@@ -67,7 +72,7 @@ resource "aws_iam_role_policy_attachment" "invoke-lambda-policy-attach" {
 # Init the mpic coordinator lambda.
 resource "aws_lambda_function" "mpic_coordinator_lambda" {
     filename      = "../{{source-path}}/mpic_coordinator_lambda/mpic_coordinator_lambda.zip"
-    function_name = "open_mpic_lambda_coordinator_{{deployment-id}}"
+    function_name = "open_mpic_lambda_coordinator_${local.deployment_id}"
     role          = aws_iam_role.open_mpic_lambda_role.arn
     handler       = "mpic_coordinator_lambda_function.lambda_handler"
     source_code_hash = filebase64sha256("../{{source-path}}/mpic_coordinator_lambda/mpic_coordinator_lambda.zip")
@@ -81,7 +86,7 @@ resource "aws_lambda_function" "mpic_coordinator_lambda" {
     ]
     environment {
       variables = {
-        perspectives = jsonencode({{perspectives}})
+        perspectives = jsonencode(local.perspectives)
         default_perspective_count = {{default-perspective-count}}
         hash_secret = {{hash-secret}}
         {{absolute-max-attempts-with-key}}
@@ -91,7 +96,7 @@ resource "aws_lambda_function" "mpic_coordinator_lambda" {
 }
 
 resource "aws_api_gateway_rest_api" "open_mpic_api" {
-  name = "open-mpic-api-{{deployment-id}}"
+  name = "open-mpic-api-${local.deployment_id}"
   description = "Open MPIC API Gateway"
   endpoint_configuration {
     types = ["EDGE"]
@@ -121,7 +126,7 @@ resource "aws_lambda_permission" "lambda_permission_api" {
 
 # Set up the API key for the API.
 resource "aws_api_gateway_api_key" "open_mpic" {
-  name = "open_mpic-{{deployment-id}}"
+  name = "open_mpic-${local.deployment_id}"
 }
 
 resource "aws_api_gateway_usage_plan_key" "prod_usage_key" {
diff --git a/open-tofu/variables.tf b/open-tofu/variables.tf
index d3c545a..fc2374e 100644
--- a/open-tofu/variables.tf
+++ b/open-tofu/variables.tf
@@ -15,3 +15,9 @@ variable "perspective_memory_size" {
   description = "MPIC Perspective Lambda Function Memory"
   default     = 256
 }
+
+variable "eventbridge_warmer_enabled" {
+  type        = bool
+  description = "Enable EventBridge warmer to try to keep Lambda functions warm. See https://aws.amazon.com/pt/blogs/compute/operating-lambda-performance-optimization-part-1/, \"Understanding how functions warmers work\""
+  default     = false
+}

From a2b665bda30fb6db50b35d72f6dc50237f8bb0f8 Mon Sep 17 00:00:00 2001
From: Henry Birge-Lee <birgelee@princeton.edu>
Date: Wed, 7 May 2025 11:24:05 -0400
Subject: [PATCH 2/2] version bump

---
 src/aws_lambda_mpic/__about__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/aws_lambda_mpic/__about__.py b/src/aws_lambda_mpic/__about__.py
index 68cdeee..382021f 100644
--- a/src/aws_lambda_mpic/__about__.py
+++ b/src/aws_lambda_mpic/__about__.py
@@ -1 +1 @@
-__version__ = "1.0.5"
+__version__ = "1.0.6"