pass allowed events to lambda

npalm · npalm · commit 2f509feb25d0 · 2024-10-17T21:57:26.000+02:00
diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf
@@ -80,6 +80,8 @@ module "runners" {
 
   # Deploy webhook in EventBridge mode
   webhook_mode = "eventbridge"
+  # adjust the allow events to only allow specific events, like workflow_job
+  # eventbridge_allowed_events = ['workflow_job']
 
   # enable this section for tracing
   # tracing_config = {
diff --git a/main.tf b/main.tf
@@ -124,7 +124,9 @@ module "ssm" {
 module "webhook" {
   source = "./modules/webhook"
 
-  mode = var.webhook_mode
+  mode                       = var.webhook_mode
+  eventbridge_allowed_events = var.eventbridge_allowed_events
+
   ssm_paths = {
     root    = local.ssm_root_path
     webhook = var.ssm_paths.webhook
diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf
@@ -283,6 +283,12 @@ variable "webhook_mode" {
   }
 }
 
+variable "eventbridge_allowed_events" {
+  description = "List of events that are allowed (accepted) to be sent to the eventbridge by the webhook. Variable only have effect if `webhook_mode` is set to `eventbridge`."
+  type        = list(string)
+  default     = []
+}
+
 variable "webhook_lambda_s3_key" {
   description = "S3 key for webhook lambda function. Required if using S3 bucket to specify lambdas."
   type        = string
diff --git a/modules/multi-runner/webhook.tf b/modules/multi-runner/webhook.tf
@@ -1,9 +1,10 @@
 module "webhook" {
-  source      = "../webhook"
-  prefix      = var.prefix
-  tags        = local.tags
-  mode        = var.webhook_mode
-  kms_key_arn = var.kms_key_arn
+  source                     = "../webhook"
+  prefix                     = var.prefix
+  tags                       = local.tags
+  mode                       = var.webhook_mode
+  eventbridge_allowed_events = var.eventbridge_allowed_events
+  kms_key_arn                = var.kms_key_arn
 
   runner_matcher_config               = local.runner_config
   matcher_config_parameter_store_tier = var.matcher_config_parameter_store_tier
diff --git a/modules/webhook/eventbridge/variables.tf b/modules/webhook/eventbridge/variables.tf
@@ -50,5 +50,6 @@ variable "config" {
       arn     = string
       version = string
     })
+    allowed_events = optional(list(string), [])
   })
 }
diff --git a/modules/webhook/eventbridge/webhook.tf b/modules/webhook/eventbridge/webhook.tf
@@ -21,9 +21,11 @@ resource "aws_lambda_function" "webhook" {
         POWERTOOLS_TRACE_ENABLED                 = var.config.tracing_config.mode != null ? true : false
         POWERTOOLS_TRACER_CAPTURE_HTTPS_REQUESTS = var.config.tracing_config.capture_http_requests
         POWERTOOLS_TRACER_CAPTURE_ERROR          = var.config.tracing_config.capture_error
-        PARAMETER_GITHUB_APP_WEBHOOK_SECRET      = var.config.github_app_parameters.webhook_secret.name
-        PARAMETER_RUNNER_MATCHER_CONFIG_PATH     = var.config.ssm_parameter_runner_matcher_config.name
-        EVENT_BUS_NAME                           = aws_cloudwatch_event_bus.main.name
+        # Parameters required for lambda configuration
+        ALLOWED_EVENTS                       = jsonencode(var.config.allowed_events)
+        EVENT_BUS_NAME                       = aws_cloudwatch_event_bus.main.name
+        PARAMETER_GITHUB_APP_WEBHOOK_SECRET  = var.config.github_app_parameters.webhook_secret.name
+        PARAMETER_RUNNER_MATCHER_CONFIG_PATH = var.config.ssm_parameter_runner_matcher_config.name
       } : k => v if v != null
     }
   }
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
@@ -220,3 +220,9 @@ variable "mode" {
     error_message = "`mode` value is not valid, valid values are: `direct`, and `eventbridge`."
   }
 }
+
+variable "eventbridge_allowed_events" {
+  description = "List of events that are allowed (accepted) to be sent to the eventbridge by the webhook."
+  type        = list(string)
+  default     = []
+}
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
@@ -84,6 +84,7 @@ module "eventbridge" {
     lambda_tags                           = var.lambda_tags,
     api_gw_source_arn                     = "${aws_apigatewayv2_api.webhook.execution_arn}/*/*/${local.webhook_endpoint}"
     ssm_parameter_runner_matcher_config   = aws_ssm_parameter.runner_matcher_config
+    allowed_events                        = var.eventbridge_allowed_events
   }
 
 }
diff --git a/variables.tf b/variables.tf
@@ -955,3 +955,9 @@ variable "webhook_mode" {
     error_message = "`mode` value is not valid, valid values are: `direct`, and `eventbridge`."
   }
 }
+
+variable "eventbridge_allowed_events" {
+  description = "List of events that are allowed (accepted) to be sent to the eventbridge by the webhook. Variable only have effect if `webhook_mode` is set to `eventbridge`."
+  type        = list(string)
+  default     = []
+}

Original file line number	Diff line number	Diff line change
`@@ -283,6 +283,12 @@ variable "webhook_mode" {`
`283`	`283`	`}`
`284`	`284`	`}`
`285`	`285`
	`286`	`+variable "eventbridge_allowed_events" {`
	`287`	+ description = "List of events that are allowed (accepted) to be sent to the eventbridge by the webhook. Variable only have effect if `webhook_mode` is set to `eventbridge`."
	`288`	`+ type = list(string)`
	`289`	`+ default = []`
	`290`	`+}`
	`291`	`+`
`286`	`292`	`variable "webhook_lambda_s3_key" {`
`287`	`293`	`description = "S3 key for webhook lambda function. Required if using S3 bucket to specify lambdas."`
`288`	`294`	`type = string`
Original file line number	Diff line number	Diff line change
`@@ -50,5 +50,6 @@ variable "config" {`
`50`	`50`	`arn = string`
`51`	`51`	`version = string`
`52`	`52`	`})`
	`53`	`+ allowed_events = optional(list(string), [])`
`53`	`54`	`})`
`54`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -220,3 +220,9 @@ variable "mode" {`
`220`	`220`	error_message = "`mode` value is not valid, valid values are: `direct`, and `eventbridge`."
`221`	`221`	`}`
`222`	`222`	`}`
	`223`	`+`
	`224`	`+variable "eventbridge_allowed_events" {`
	`225`	`+ description = "List of events that are allowed (accepted) to be sent to the eventbridge by the webhook."`
	`226`	`+ type = list(string)`
	`227`	`+ default = []`
	`228`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,7 @@ module "eventbridge" {`
`84`	`84`	`lambda_tags = var.lambda_tags,`
`85`	`85`	`api_gw_source_arn = "${aws_apigatewayv2_api.webhook.execution_arn}///${local.webhook_endpoint}"`
`86`	`86`	`ssm_parameter_runner_matcher_config = aws_ssm_parameter.runner_matcher_config`
	`87`	`+ allowed_events = var.eventbridge_allowed_events`
`87`	`88`	`}`
`88`	`89`
`89`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -955,3 +955,9 @@ variable "webhook_mode" {`
`955`	`955`	error_message = "`mode` value is not valid, valid values are: `direct`, and `eventbridge`."
`956`	`956`	`}`
`957`	`957`	`}`
	`958`	`+`
	`959`	`+variable "eventbridge_allowed_events" {`
	`960`	+ description = "List of events that are allowed (accepted) to be sent to the eventbridge by the webhook. Variable only have effect if `webhook_mode` is set to `eventbridge`."
	`961`	`+ type = list(string)`
	`962`	`+ default = []`
	`963`	`+}`