adjust permissions for lambda

Author: npalm

lambdas/functions/webhook/src/modules.d.ts

@@ -0,0 +1,12 @@
+declare namespace NodeJS {
+  export interface ProcessEnv {
+    ENVIRONMENT: string;
+    EVENT_BUS_NAME: string;
+    PARAMETER_GITHUB_APP_WEBHOOK_SECRET: string;
+    PARAMETER_RUNNER_MATCHER_CONFIG_PATH: string;
+    REPOSITORY_ALLOW_LIST: string;
+    RUNNER_LABELS: string;
+    ALLOWED_EVENTS: string;
+    SQS_WORKFLOW_JOB_QUEUE: string;
+  }
+}

modules/webhook/README.md

@@ -2,11 +2,11 @@
 
 > This module is treated as internal module, breaking changes will not trigger a major release bump.
 
-This module creates an API gateway endpoint and lambda function to handle GitHub App webhook events.
+Th module can be deployed in two modes. Direct messages, are delivered directly to the runner queues. EventBridge messages are delivered to an EventBridge bus and then dispatched to the runner queues.
 
 ## Lambda Function
 
-The Lambda function is written in [TypeScript](https://www.typescriptlang.org/) and requires Node 12.x and yarn. Sources are located in [./lambdas/webhook].
+The Lambda function is written in [TypeScript](https://www.typescriptlang.org/) and requires Node and yarn. Sources are located in [./lambdas/webhook]. Check see `lambda.ts` for the different handler functions available.
 
 ### Install
 

modules/webhook/direct/webhook.tf

@@ -137,8 +137,7 @@ resource "aws_iam_role_policy" "webhook_ssm" {
   role = aws_iam_role.webhook_lambda.name
 
   policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
-    github_app_webhook_secret_arn       = var.config.github_app_parameters.webhook_secret.arn,
-    parameter_runner_matcher_config_arn = var.config.ssm_parameter_runner_matcher_config.arn
+    resource_arns = jsonencode([var.config.github_app_parameters.webhook_secret.arn, var.config.ssm_parameter_runner_matcher_config.arn])
   })
 }
 

modules/webhook/eventbridge/dispatcher.tf

@@ -43,11 +43,10 @@ resource "aws_lambda_function" "dispatcher" {
         POWERTOOLS_TRACE_ENABLED                 = var.config.tracing_config.mode != null ? true : false
         POWERTOOLS_TRACER_CAPTURE_HTTPS_REQUESTS = var.config.tracing_config.capture_http_requests
         POWERTOOLS_TRACER_CAPTURE_ERROR          = var.config.tracing_config.capture_error
-        PARAMETER_GITHUB_APP_WEBHOOK_SECRET      = var.config.github_app_parameters.webhook_secret.name
-        REPOSITORY_ALLOW_LIST                    = jsonencode(var.config.repository_white_list)
-        SQS_WORKFLOW_JOB_QUEUE                   = try(var.config.sqs_workflow_job_queue.id, null)
-        PARAMETER_GITHUB_APP_WEBHOOK_SECRET      = var.config.github_app_parameters.webhook_secret.name
-        PARAMETER_RUNNER_MATCHER_CONFIG_PATH     = var.config.ssm_parameter_runner_matcher_config.name
+        # Parameters required for lambda configuration
+        PARAMETER_RUNNER_MATCHER_CONFIG_PATH = var.config.ssm_parameter_runner_matcher_config.name
+        REPOSITORY_ALLOW_LIST                = jsonencode(var.config.repository_white_list)
+        SQS_WORKFLOW_JOB_QUEUE               = try(var.config.sqs_workflow_job_queue.id, null)
       } : k => v if v != null
     }
   }
@@ -126,8 +125,7 @@ resource "aws_iam_role_policy" "dispatcher_ssm" {
   role = aws_iam_role.dispatcher_lambda.name
 
   policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
-    github_app_webhook_secret_arn       = var.config.github_app_parameters.webhook_secret.arn,
-    parameter_runner_matcher_config_arn = var.config.ssm_parameter_runner_matcher_config.arn
+    resource_arns = jsonencode([var.config.ssm_parameter_runner_matcher_config.arn])
   })
 }
 

modules/webhook/eventbridge/webhook.tf

@@ -121,8 +121,7 @@ resource "aws_iam_role_policy" "webhook_ssm" {
   role = aws_iam_role.webhook_lambda.name
 
   policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
-    github_app_webhook_secret_arn       = var.config.github_app_parameters.webhook_secret.arn,
-    parameter_runner_matcher_config_arn = var.config.ssm_parameter_runner_matcher_config.arn
+    resource_arns = jsonencode([var.config.github_app_parameters.webhook_secret.arn])
   })
 }
 

modules/webhook/policies/lambda-ssm.json

@@ -4,10 +4,7 @@
     {
       "Effect": "Allow",
       "Action": ["ssm:GetParameter"],
-      "Resource": [
-        "${github_app_webhook_secret_arn}",
-        "${parameter_runner_matcher_config_arn}"
-      ]
+      "Resource": ${resource_arns}
     }
   ]
 }