gRPC Policies

These methods exist on the policy.outboundGrpc object as seen in the following example:

(policy) => {
  policy.outboundGrpc.allow('example.org', 1337, 'users', 'addUser');
}

These policies affect the generating of outbound gRPC requests, when the third-party grpc npm module is used.

intrinsic.virtualizeLib('grpc')

This method is called when instantiating Intrinsic.

// Intrinsic for Lambda
module.exports = new IntrinsicLambda()
  .virtualizeLib('grpc')
  // ...
  .run();

// Intrinsic for Node.js
intrinsic(__filename)
  .virtualizeLib('grpc')
  // ...
  .run();

Note that in the above example we're calling .virtualizeLib('grpc'). Calling this method allows your application to load the grpc native module. Calling a third-party native module has more security implications than simply requiring normal JavaScript code, which is why we specifically provide a method to allow loading the grpc module.

You will need to call this if you either see the following error, or if you otherwise want to enable outbound gRPC messages to be sent from your Lambda application:

INTRINSIC WARNING: /var/task/node_modules/grpc/src/node/extension_binary
  /node-v48-linux-x64-glibc/grpc_node.node is a native addon. Contact
  Intrinsic if you want to use it in enforcement mode.

policy.outboundGrpc.allow(host, port, service, method)

This method allows sending outbound gRPC messages to the specified host:port combination for the specified service name and method name. Note that the host, service, and method parameters accept the glob syntax.

You will need to enable gRPC policies if you encounter an error like the following:

[INTRINSIC] OutboundGrpcPolicyViolation: POLICY_VIOLATION sb: "0"
  | Method call 'deleteUser' to service 'users' at user-1.example.com:8443
  not in outbound gRPC whitelist

A policy for the above error might look like the following:

(policy) => {
  policy.outboundGrpc.allow('user-*.example.com', 8443, 'users', 'deleteUser');
}