refactor / clean terraform code for webhook

Author: npalm

.terraform.lock.hcl

@@ -2,6 +2,15 @@ import { getParameter } from '@aws-github-runner/aws-ssm-util';
 import { RunnerMatcherConfig } from './sqs';
 import { logger } from '@aws-github-runner/aws-powertools-util';
 
+/**
+ * Base class for loading configuration from environment variables and SSM parameters.
+ *
+ * @remarks
+ * To avoid usages or checking values can be undefined we assume that configuration is
+ * set to
+ * - empty string if the property is not relevant
+ * - empty list if the property is not relevant
+ */
 abstract class BaseConfig {
   static instance: BaseConfig | null = null;
   configLoadingErrors: string[] = [];

lambdas/functions/webhook/src/ConfigLoader.ts

@@ -0,0 +1,6 @@
+
+resource "null_resource" "ssm_parameter_runner_matcher_config" {
+  triggers = {
+    version = var.config.ssm_parameter_runner_matcher_config.version
+  }
+}

modules/webhook/direct/main.tf

@@ -1,11 +1,16 @@
-# output "gateway" {
-#   value = aws_apigatewayv2_api.webhook
-# }
-
 output "webhook_lambda_function" {
   value = aws_lambda_function.webhook
 }
 
+
+output "webhook" {
+  value = {
+    lambda    = aws_lambda_function.webhook
+    log_group = aws_cloudwatch_log_group.webhook
+    role      = aws_iam_role.webhook_lambda
+  }
+}
+
 # output "lambda_log_group" {
 #   value = aws_cloudwatch_log_group.webhook
 # }

modules/webhook/webhook/outputs.tf renamed to modules/webhook/direct/outputs.tf

@@ -0,0 +1,54 @@
+variable "config" {
+  description = "Configuration object for all variables."
+  type = object({
+    prefix = string
+    archive = optional(object({
+      enable         = optional(bool, true)
+      retention_days = optional(number, 7)
+    }), {})
+    tags = optional(map(string), {})
+
+    lambda_subnet_ids         = optional(list(string), [])
+    lambda_security_group_ids = optional(list(string), [])
+    sqs_job_queues_arns       = list(string)
+    sqs_workflow_job_queue = optional(object({
+      id  = string
+      arn = string
+    }), null)
+    lambda_zip                = optional(string, null)
+    lambda_memory_size        = optional(number, 256)
+    lambda_timeout            = optional(number, 10)
+    role_permissions_boundary = optional(string, null)
+    role_path                 = optional(string, null)
+    logging_retention_in_days = optional(number, 180)
+    logging_kms_key_id        = optional(string, null)
+    lambda_s3_bucket          = optional(string, null)
+    lambda_s3_key             = optional(string, null)
+    lambda_s3_object_version  = optional(string, null)
+    lambda_apigateway_access_log_settings = optional(object({
+      destination_arn = string
+      format          = string
+    }), null)
+    repository_white_list = optional(list(string), [])
+    kms_key_arn           = optional(string, null)
+    log_level             = optional(string, "info")
+    lambda_runtime        = optional(string, "nodejs20.x")
+    aws_partition         = optional(string, "aws")
+    lambda_architecture   = optional(string, "arm64")
+    github_app_parameters = object({
+      webhook_secret = map(string)
+    })
+    tracing_config = optional(object({
+      mode                  = optional(string, null)
+      capture_http_requests = optional(bool, false)
+      capture_error         = optional(bool, false)
+    }), {})
+    lambda_tags       = optional(map(string), {})
+    api_gw_source_arn = string
+    ssm_parameter_runner_matcher_config = object({
+      name    = string
+      arn     = string
+      version = string
+    })
+  })
+}

modules/webhook/webhook/policies.tf renamed to modules/webhook/direct/policies.tf

@@ -1,25 +1,7 @@
 locals {
-  # config with combined key and order
-  runner_matcher_config = { for k, v in var.config.runner_matcher_config : format("%03d-%s", v.matcherConfig.priority, k) => merge(v, { key = k }) }
-
-  # sorted list
-  runner_matcher_config_sorted = [for k in sort(keys(local.runner_matcher_config)) : local.runner_matcher_config[k]]
-
-  # handler
-  lambda_handler_function = var.config.legacy_mode ? "index.githubWebhook" : "index.eventBridgeWebhook"
-
   lambda_zip = var.config.lambda_zip == null ? "${path.module}/../../../lambdas/functions/webhook/webhook.zip" : var.config.lambda_zip
-
 }
 
-resource "aws_ssm_parameter" "runner_matcher_config" {
-  name  = "${var.config.ssm_paths.root}/${var.config.ssm_paths.webhook}/runner-matcher-config"
-  type  = "String"
-  value = jsonencode(local.runner_matcher_config_sorted)
-  tier  = var.config.matcher_config_parameter_store_tier
-}
-
-
 resource "aws_lambda_function" "webhook" {
   s3_bucket         = var.config.lambda_s3_bucket != null ? var.config.lambda_s3_bucket : null
   s3_key            = var.config.lambda_s3_key != null ? var.config.lambda_s3_key : null
@@ -28,7 +10,7 @@ resource "aws_lambda_function" "webhook" {
   source_code_hash  = var.config.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
   function_name     = "${var.config.prefix}-webhook"
   role              = aws_iam_role.webhook_lambda.arn
-  handler           = local.lambda_handler_function
+  handler           = "index.githubWebhook"
   runtime           = var.config.lambda_runtime
   memory_size       = var.config.lambda_memory_size
   timeout           = var.config.lambda_timeout
@@ -45,7 +27,7 @@ resource "aws_lambda_function" "webhook" {
         PARAMETER_GITHUB_APP_WEBHOOK_SECRET      = var.config.github_app_parameters.webhook_secret.name
         REPOSITORY_ALLOW_LIST                    = jsonencode(var.config.repository_white_list)
         SQS_WORKFLOW_JOB_QUEUE                   = try(var.config.sqs_workflow_job_queue.id, null)
-        PARAMETER_RUNNER_MATCHER_CONFIG_PATH     = aws_ssm_parameter.runner_matcher_config.name
+        PARAMETER_RUNNER_MATCHER_CONFIG_PATH     = var.config.ssm_parameter_runner_matcher_config.name
       } : k => v if v != null
     }
   }
@@ -68,12 +50,10 @@ resource "aws_lambda_function" "webhook" {
   }
 
   lifecycle {
-    replace_triggered_by = [aws_ssm_parameter.runner_matcher_config, null_resource.github_app_parameters]
+    replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
   }
 }
 
-
-
 resource "aws_cloudwatch_log_group" "webhook" {
   name              = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
   retention_in_days = var.config.logging_retention_in_days
@@ -88,7 +68,7 @@ resource "aws_lambda_permission" "webhook" {
   principal     = "apigateway.amazonaws.com"
   source_arn    = var.config.api_gw_source_arn
   lifecycle {
-    replace_triggered_by = [aws_ssm_parameter.runner_matcher_config, null_resource.github_app_parameters]
+    replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
   }
 }
 
@@ -110,7 +90,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
 }
 
 resource "aws_iam_role" "webhook_lambda" {
-  name                 = "${var.config.prefix}-action-webhook-lambda-role"
+  name                 = "${var.config.prefix}-direct-webhook-lambda-role"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = var.config.role_path
   permissions_boundary = var.config.role_permissions_boundary
@@ -136,7 +116,7 @@ resource "aws_iam_role_policy" "webhook_sqs" {
   role = aws_iam_role.webhook_lambda.name
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
-    sqs_resource_arns = jsonencode([for k, v in var.config.runner_matcher_config : v.arn])
+    sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
     kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
   })
 }
@@ -158,7 +138,7 @@ resource "aws_iam_role_policy" "webhook_ssm" {
 
   policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
     github_app_webhook_secret_arn       = var.config.github_app_parameters.webhook_secret.arn,
-    parameter_runner_matcher_config_arn = aws_ssm_parameter.runner_matcher_config.arn
+    parameter_runner_matcher_config_arn = var.config.ssm_parameter_runner_matcher_config.arn
   })
 }
 

modules/webhook/direct/variables.tf

@@ -1,43 +1,3 @@
-# locals {
-#   # config with combined key and order
-#   runner_matcher_config = { for k, v in var.config.runner_matcher_config : format("%03d-%s", v.matcherConfig.priority, k) => merge(v, { key = k }) }
-
-#   # sorted list
-#   runner_matcher_config_sorted = [for k in sort(keys(local.runner_matcher_config)) : local.runner_matcher_config[k]]
-
-#   # handler
-#   lambda_handler_function = var.config.legacy_mode ? "index.githubWebhook" : "index.eventBridgeWebhook"
-
-#   lambda_zip       = var.config.lambda_zip == null ? "${path.module}/../../../lambdas/functions/webhook/webhook.zip" : var.config.lambda_zip
-
-# }
-
-# resource "aws_ssm_parameter" "runner_matcher_config" {
-#   name  = "${var.config.ssm_paths.root}/${var.config.ssm_paths.webhook}/runner-matcher-config"
-#   type  = "String"
-#   value = jsonencode(local.runner_matcher_config_sorted)
-#   tier  = var.config.matcher_config_parameter_store_tier
-# }
-
-# resource "aws_cloudwatch_event_rule" "workflow_job" {
-#   name           = "${var.config.prefix}-workflow_job"
-#   description    = "Workflow job event ruule for job queued."
-#   event_bus_name = aws_cloudwatch_event_bus.main.name
-
-#   event_pattern = <<EOF
-# {
-#   "detail-type": [
-#     "workflow_job"
-#   ],
-#   "source": ["github"],
-#   "detail": {
-#     "action": ["queued"]
-#   }
-# }
-# EOF
-# }
-
-
 resource "aws_cloudwatch_event_rule" "workflow_job" {
   name           = "${var.config.prefix}-workflow_job"
   description    = "Workflow job event ruule for job queued."
@@ -87,7 +47,7 @@ resource "aws_lambda_function" "dispatcher" {
         REPOSITORY_ALLOW_LIST                    = jsonencode(var.config.repository_white_list)
         SQS_WORKFLOW_JOB_QUEUE                   = try(var.config.sqs_workflow_job_queue.id, null)
         PARAMETER_GITHUB_APP_WEBHOOK_SECRET      = var.config.github_app_parameters.webhook_secret.name
-        PARAMETER_RUNNER_MATCHER_CONFIG_PATH     = aws_ssm_parameter.runner_matcher_config.name
+        PARAMETER_RUNNER_MATCHER_CONFIG_PATH     = var.config.ssm_parameter_runner_matcher_config.name
       } : k => v if v != null
     }
   }
@@ -110,7 +70,7 @@ resource "aws_lambda_function" "dispatcher" {
   }
 
   lifecycle {
-    replace_triggered_by = [aws_ssm_parameter.runner_matcher_config, null_resource.github_app_parameters]
+    replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
   }
 }
 
@@ -121,17 +81,6 @@ resource "aws_cloudwatch_log_group" "dispatcher" {
   tags              = var.config.tags
 }
 
-# resource "aws_lambda_permission" "dispatcher" {
-#   statement_id  = "AllowExecutionFromAPIGateway"
-#   action        = "lambda:InvokeFunction"
-#   function_name = aws_lambda_function.dispatcher.function_name
-#   principal     = "apigateway.amazonaws.com"
-#   source_arn    = var.config.api_gw_source_arn
-#   lifecycle {
-#     replace_triggered_by = [aws_ssm_parameter.runner_matcher_config, null_resource.github_app_parameters]
-#   }
-# }
-
 resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda" {
   statement_id  = "AllowExecutionFromCloudWatch"
   action        = "lambda:InvokeFunction"
@@ -140,18 +89,6 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda" {
   source_arn    = aws_cloudwatch_event_rule.workflow_job.arn
 }
 
-
-# data "aws_iam_policy_document" "lambda_assume_role_policy" {
-#   statement {
-#     actions = ["sts:AssumeRole"]
-
-#     principals {
-#       type        = "Service"
-#       identifiers = ["lambda.amazonaws.com"]
-#     }
-#   }
-# }
-
 resource "aws_iam_role" "dispatcher_lambda" {
   name                 = "${var.config.prefix}-dispatcher-lambda-role"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
@@ -179,7 +116,7 @@ resource "aws_iam_role_policy" "dispatcher_sqs" {
   role = aws_iam_role.dispatcher_lambda.name
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
-    sqs_resource_arns = jsonencode([for k, v in var.config.runner_matcher_config : v.arn])
+    sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
     kms_key_arn       = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
   })
 }
@@ -190,7 +127,7 @@ resource "aws_iam_role_policy" "dispatcher_ssm" {
 
   policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
     github_app_webhook_secret_arn       = var.config.github_app_parameters.webhook_secret.arn,
-    parameter_runner_matcher_config_arn = aws_ssm_parameter.runner_matcher_config.arn
+    parameter_runner_matcher_config_arn = var.config.ssm_parameter_runner_matcher_config.arn
   })
 }
 

modules/webhook/webhook/versions.tf renamed to modules/webhook/direct/versions.tf

@@ -1,5 +1,6 @@
 locals {
-  name = "${var.config.prefix}-runners"
+  name       = "${var.config.prefix}-runners"
+  lambda_zip = var.config.lambda_zip == null ? "${path.module}/../../../lambdas/functions/webhook/webhook.zip" : var.config.lambda_zip
 }
 
 resource "aws_cloudwatch_event_bus" "main" {
@@ -12,3 +13,9 @@ resource "aws_cloudwatch_event_archive" "main" {
   event_source_arn = aws_cloudwatch_event_bus.main.arn
   retention_days   = var.config.archive.retention_days
 }
+
+resource "null_resource" "ssm_parameter_runner_matcher_config" {
+  triggers = {
+    version = var.config.ssm_parameter_runner_matcher_config.version
+  }
+}

modules/webhook/webhook/webhook.tf renamed to modules/webhook/direct/webhook.tf

@@ -1,11 +1,22 @@
 output "eventbridge" {
-  value = aws_cloudwatch_event_bus.main
+  value = {
+    event_but = aws_cloudwatch_event_bus.main
+    archive   = aws_cloudwatch_event_archive.main
+  }
 }
 
-output "achive" {
-  value = var.config.archive.enable ? aws_cloudwatch_event_archive.main : null
+output "webhook" {
+  value = {
+    lambda    = aws_lambda_function.webhook
+    log_group = aws_cloudwatch_log_group.webhook
+    role      = aws_iam_role.webhook_lambda
+  }
 }
 
-output "webhook_lambda_function" {
-  value = aws_lambda_function.webhook
+output "dispatcher" {
+  value = {
+    lambda    = aws_lambda_function.dispatcher
+    log_group = aws_cloudwatch_log_group.dispatcher
+    role      = aws_iam_role.dispatcher_lambda
+  }
 }