{
const signature = headers['x-hub-signature-256'] as string;
const webhooks = new Webhooks({
- secret: Config.webhookSecret!,
+ secret,
});
if (
@@ -50,21 +107,26 @@ function init(headers: IncomingHttpHeaders) {
headers[key.toLowerCase()] = headers[key];
}
- logger.addPersistentLogAttributes({
+ logger.appendPersistentKeys({
github: {
- 'github-event': headers['x-github-event'],
'github-delivery': headers['x-github-delivery'],
+ 'github-event': headers['x-github-event'],
+ 'github-hook-id': headers['x-github-hook-id'],
+ 'github-hook-installation-target-id': headers['x-github-hook-installation-target-id'],
},
});
}
-function readEvent(headers: IncomingHttpHeaders, body: string): { event: WorkflowJobEvent; eventType: string } {
- const eventType = headers['x-github-event'] as string;
-
- if (!supportedEvents.includes(eventType)) {
+function checkEventIsSupported(eventType: string, allowedEvents: string[]): void {
+ if (allowedEvents.length > 0 && !allowedEvents.includes(eventType)) {
logger.warn(`Unsupported event type: ${eventType}`);
throw new ValidationError(202, `Unsupported event type: ${eventType}`);
}
+}
+
+function readEvent(headers: IncomingHttpHeaders, body: string): { event: WorkflowJobEvent; eventType: string } {
+ const eventType = headers['x-github-event'] as string;
+ checkEventIsSupported(eventType, ['workflow_job']);
const event = JSON.parse(body) as WorkflowJobEvent;
logger.appendPersistentKeys({
diff --git a/lambdas/yarn.lock b/lambdas/yarn.lock
index b20304ab61..3526567e2e 100644
--- a/lambdas/yarn.lock
+++ b/lambdas/yarn.lock
@@ -113,7 +113,7 @@ __metadata:
"@typescript-eslint/eslint-plugin": "npm:^8.9.0"
"@typescript-eslint/parser": "npm:^8.11.0"
"@vercel/ncc": "npm:^0.38.1"
- aws-sdk-client-mock: "npm:^4.0.2"
+ aws-sdk-client-mock: "npm:^4.1.0"
aws-sdk-client-mock-jest: "npm:^4.1.0"
cron-parser: "npm:^4.9.0"
eslint: "npm:^8.57.0"
@@ -212,7 +212,7 @@ __metadata:
"@typescript-eslint/eslint-plugin": "npm:^8.9.0"
"@typescript-eslint/parser": "npm:^8.11.0"
"@vercel/ncc": "npm:^0.38.1"
- aws-sdk-client-mock: "npm:^4.0.2"
+ aws-sdk-client-mock: "npm:^4.1.0"
aws-sdk-client-mock-jest: "npm:^4.1.0"
cron-parser: "npm:^4.9.0"
eslint: "npm:^8.57.0"
@@ -248,7 +248,7 @@ __metadata:
"@typescript-eslint/eslint-plugin": "npm:^8.9.0"
"@typescript-eslint/parser": "npm:^8.11.0"
"@vercel/ncc": "npm:^0.38.1"
- aws-sdk-client-mock: "npm:^4.0.2"
+ aws-sdk-client-mock: "npm:^4.1.0"
aws-sdk-client-mock-jest: "npm:^4.1.0"
axios: "npm:^1.7.7"
eslint: "npm:^8.57.0"
@@ -277,7 +277,7 @@ __metadata:
"@typescript-eslint/eslint-plugin": "npm:^8.9.0"
"@typescript-eslint/parser": "npm:^8.11.0"
"@vercel/ncc": "npm:^0.38.1"
- aws-sdk-client-mock: "npm:^4.0.2"
+ aws-sdk-client-mock: "npm:^4.1.0"
aws-sdk-client-mock-jest: "npm:^4.1.0"
eslint: "npm:^8.57.0"
eslint-plugin-prettier: "npm:5.2.1"
@@ -299,6 +299,7 @@ __metadata:
dependencies:
"@aws-github-runner/aws-powertools-util": "npm:*"
"@aws-github-runner/aws-ssm-util": "npm:*"
+ "@aws-sdk/client-eventbridge": "npm:^3.670.0"
"@aws-sdk/client-sqs": "npm:^3.677.0"
"@middy/core": "npm:^4.7.0"
"@octokit/rest": "npm:20.1.1"
@@ -460,6 +461,56 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/client-eventbridge@npm:^3.670.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/client-eventbridge@npm:3.678.0"
+ dependencies:
+ "@aws-crypto/sha256-browser": "npm:5.2.0"
+ "@aws-crypto/sha256-js": "npm:5.2.0"
+ "@aws-sdk/client-sso-oidc": "npm:3.678.0"
+ "@aws-sdk/client-sts": "npm:3.678.0"
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/credential-provider-node": "npm:3.678.0"
+ "@aws-sdk/middleware-host-header": "npm:3.667.0"
+ "@aws-sdk/middleware-logger": "npm:3.667.0"
+ "@aws-sdk/middleware-recursion-detection": "npm:3.667.0"
+ "@aws-sdk/middleware-user-agent": "npm:3.678.0"
+ "@aws-sdk/region-config-resolver": "npm:3.667.0"
+ "@aws-sdk/signature-v4-multi-region": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@aws-sdk/util-endpoints": "npm:3.667.0"
+ "@aws-sdk/util-user-agent-browser": "npm:3.675.0"
+ "@aws-sdk/util-user-agent-node": "npm:3.678.0"
+ "@smithy/config-resolver": "npm:^3.0.9"
+ "@smithy/core": "npm:^2.4.8"
+ "@smithy/fetch-http-handler": "npm:^3.2.9"
+ "@smithy/hash-node": "npm:^3.0.7"
+ "@smithy/invalid-dependency": "npm:^3.0.7"
+ "@smithy/middleware-content-length": "npm:^3.0.9"
+ "@smithy/middleware-endpoint": "npm:^3.1.4"
+ "@smithy/middleware-retry": "npm:^3.0.23"
+ "@smithy/middleware-serde": "npm:^3.0.7"
+ "@smithy/middleware-stack": "npm:^3.0.7"
+ "@smithy/node-config-provider": "npm:^3.1.8"
+ "@smithy/node-http-handler": "npm:^3.2.4"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/smithy-client": "npm:^3.4.0"
+ "@smithy/types": "npm:^3.5.0"
+ "@smithy/url-parser": "npm:^3.0.7"
+ "@smithy/util-base64": "npm:^3.0.0"
+ "@smithy/util-body-length-browser": "npm:^3.0.0"
+ "@smithy/util-body-length-node": "npm:^3.0.0"
+ "@smithy/util-defaults-mode-browser": "npm:^3.0.23"
+ "@smithy/util-defaults-mode-node": "npm:^3.0.23"
+ "@smithy/util-endpoints": "npm:^2.1.3"
+ "@smithy/util-middleware": "npm:^3.0.7"
+ "@smithy/util-retry": "npm:^3.0.7"
+ "@smithy/util-utf8": "npm:^3.0.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/33220266079b1354b7cd824d258a5abd002ba3be4a18ae60a45bd2eff843e4276cb24d7ca0dd7e1bbbf36f7d9b4120ac97b78b76304f028387a99a1e41284e4d
+ languageName: node
+ linkType: hard
+
"@aws-sdk/client-s3@npm:^3.677.0":
version: 3.677.0
resolution: "@aws-sdk/client-s3@npm:3.677.0"
@@ -678,6 +729,55 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/client-sso-oidc@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/client-sso-oidc@npm:3.678.0"
+ dependencies:
+ "@aws-crypto/sha256-browser": "npm:5.2.0"
+ "@aws-crypto/sha256-js": "npm:5.2.0"
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/credential-provider-node": "npm:3.678.0"
+ "@aws-sdk/middleware-host-header": "npm:3.667.0"
+ "@aws-sdk/middleware-logger": "npm:3.667.0"
+ "@aws-sdk/middleware-recursion-detection": "npm:3.667.0"
+ "@aws-sdk/middleware-user-agent": "npm:3.678.0"
+ "@aws-sdk/region-config-resolver": "npm:3.667.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@aws-sdk/util-endpoints": "npm:3.667.0"
+ "@aws-sdk/util-user-agent-browser": "npm:3.675.0"
+ "@aws-sdk/util-user-agent-node": "npm:3.678.0"
+ "@smithy/config-resolver": "npm:^3.0.9"
+ "@smithy/core": "npm:^2.4.8"
+ "@smithy/fetch-http-handler": "npm:^3.2.9"
+ "@smithy/hash-node": "npm:^3.0.7"
+ "@smithy/invalid-dependency": "npm:^3.0.7"
+ "@smithy/middleware-content-length": "npm:^3.0.9"
+ "@smithy/middleware-endpoint": "npm:^3.1.4"
+ "@smithy/middleware-retry": "npm:^3.0.23"
+ "@smithy/middleware-serde": "npm:^3.0.7"
+ "@smithy/middleware-stack": "npm:^3.0.7"
+ "@smithy/node-config-provider": "npm:^3.1.8"
+ "@smithy/node-http-handler": "npm:^3.2.4"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/smithy-client": "npm:^3.4.0"
+ "@smithy/types": "npm:^3.5.0"
+ "@smithy/url-parser": "npm:^3.0.7"
+ "@smithy/util-base64": "npm:^3.0.0"
+ "@smithy/util-body-length-browser": "npm:^3.0.0"
+ "@smithy/util-body-length-node": "npm:^3.0.0"
+ "@smithy/util-defaults-mode-browser": "npm:^3.0.23"
+ "@smithy/util-defaults-mode-node": "npm:^3.0.23"
+ "@smithy/util-endpoints": "npm:^2.1.3"
+ "@smithy/util-middleware": "npm:^3.0.7"
+ "@smithy/util-retry": "npm:^3.0.7"
+ "@smithy/util-utf8": "npm:^3.0.0"
+ tslib: "npm:^2.6.2"
+ peerDependencies:
+ "@aws-sdk/client-sts": ^3.678.0
+ checksum: 10c0/0b3f8d2448417ce28ba5bb6b8d61b2c85774d9066b4b344bd832bc994f064f702bc34074201db66a574ef78c5a24a541763295aa1108b01e1453962d7e13f902
+ languageName: node
+ linkType: hard
+
"@aws-sdk/client-sso@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/client-sso@npm:3.677.0"
@@ -724,6 +824,52 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/client-sso@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/client-sso@npm:3.678.0"
+ dependencies:
+ "@aws-crypto/sha256-browser": "npm:5.2.0"
+ "@aws-crypto/sha256-js": "npm:5.2.0"
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/middleware-host-header": "npm:3.667.0"
+ "@aws-sdk/middleware-logger": "npm:3.667.0"
+ "@aws-sdk/middleware-recursion-detection": "npm:3.667.0"
+ "@aws-sdk/middleware-user-agent": "npm:3.678.0"
+ "@aws-sdk/region-config-resolver": "npm:3.667.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@aws-sdk/util-endpoints": "npm:3.667.0"
+ "@aws-sdk/util-user-agent-browser": "npm:3.675.0"
+ "@aws-sdk/util-user-agent-node": "npm:3.678.0"
+ "@smithy/config-resolver": "npm:^3.0.9"
+ "@smithy/core": "npm:^2.4.8"
+ "@smithy/fetch-http-handler": "npm:^3.2.9"
+ "@smithy/hash-node": "npm:^3.0.7"
+ "@smithy/invalid-dependency": "npm:^3.0.7"
+ "@smithy/middleware-content-length": "npm:^3.0.9"
+ "@smithy/middleware-endpoint": "npm:^3.1.4"
+ "@smithy/middleware-retry": "npm:^3.0.23"
+ "@smithy/middleware-serde": "npm:^3.0.7"
+ "@smithy/middleware-stack": "npm:^3.0.7"
+ "@smithy/node-config-provider": "npm:^3.1.8"
+ "@smithy/node-http-handler": "npm:^3.2.4"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/smithy-client": "npm:^3.4.0"
+ "@smithy/types": "npm:^3.5.0"
+ "@smithy/url-parser": "npm:^3.0.7"
+ "@smithy/util-base64": "npm:^3.0.0"
+ "@smithy/util-body-length-browser": "npm:^3.0.0"
+ "@smithy/util-body-length-node": "npm:^3.0.0"
+ "@smithy/util-defaults-mode-browser": "npm:^3.0.23"
+ "@smithy/util-defaults-mode-node": "npm:^3.0.23"
+ "@smithy/util-endpoints": "npm:^2.1.3"
+ "@smithy/util-middleware": "npm:^3.0.7"
+ "@smithy/util-retry": "npm:^3.0.7"
+ "@smithy/util-utf8": "npm:^3.0.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/d0d03d8bc9d42be12c8c487730b8c50e4230362511763a8a82c717b698f43bd68b13eddd57352405afe6fa27c08b96381ffc3995d7879d073a682e355845f653
+ languageName: node
+ linkType: hard
+
"@aws-sdk/client-sts@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/client-sts@npm:3.677.0"
@@ -772,6 +918,54 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/client-sts@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/client-sts@npm:3.678.0"
+ dependencies:
+ "@aws-crypto/sha256-browser": "npm:5.2.0"
+ "@aws-crypto/sha256-js": "npm:5.2.0"
+ "@aws-sdk/client-sso-oidc": "npm:3.678.0"
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/credential-provider-node": "npm:3.678.0"
+ "@aws-sdk/middleware-host-header": "npm:3.667.0"
+ "@aws-sdk/middleware-logger": "npm:3.667.0"
+ "@aws-sdk/middleware-recursion-detection": "npm:3.667.0"
+ "@aws-sdk/middleware-user-agent": "npm:3.678.0"
+ "@aws-sdk/region-config-resolver": "npm:3.667.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@aws-sdk/util-endpoints": "npm:3.667.0"
+ "@aws-sdk/util-user-agent-browser": "npm:3.675.0"
+ "@aws-sdk/util-user-agent-node": "npm:3.678.0"
+ "@smithy/config-resolver": "npm:^3.0.9"
+ "@smithy/core": "npm:^2.4.8"
+ "@smithy/fetch-http-handler": "npm:^3.2.9"
+ "@smithy/hash-node": "npm:^3.0.7"
+ "@smithy/invalid-dependency": "npm:^3.0.7"
+ "@smithy/middleware-content-length": "npm:^3.0.9"
+ "@smithy/middleware-endpoint": "npm:^3.1.4"
+ "@smithy/middleware-retry": "npm:^3.0.23"
+ "@smithy/middleware-serde": "npm:^3.0.7"
+ "@smithy/middleware-stack": "npm:^3.0.7"
+ "@smithy/node-config-provider": "npm:^3.1.8"
+ "@smithy/node-http-handler": "npm:^3.2.4"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/smithy-client": "npm:^3.4.0"
+ "@smithy/types": "npm:^3.5.0"
+ "@smithy/url-parser": "npm:^3.0.7"
+ "@smithy/util-base64": "npm:^3.0.0"
+ "@smithy/util-body-length-browser": "npm:^3.0.0"
+ "@smithy/util-body-length-node": "npm:^3.0.0"
+ "@smithy/util-defaults-mode-browser": "npm:^3.0.23"
+ "@smithy/util-defaults-mode-node": "npm:^3.0.23"
+ "@smithy/util-endpoints": "npm:^2.1.3"
+ "@smithy/util-middleware": "npm:^3.0.7"
+ "@smithy/util-retry": "npm:^3.0.7"
+ "@smithy/util-utf8": "npm:^3.0.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/7ddbbe40611ccb47cc4567185a985e33a2fb626390e07feccebc3f64f87bc748de5b3432ff2a0bcc8e27cd5e705393f811e4e194906e2e11f1a24c2bc6914635
+ languageName: node
+ linkType: hard
+
"@aws-sdk/core@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/core@npm:3.677.0"
@@ -791,6 +985,25 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/core@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/core@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/core": "npm:^2.4.8"
+ "@smithy/node-config-provider": "npm:^3.1.8"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/signature-v4": "npm:^4.2.0"
+ "@smithy/smithy-client": "npm:^3.4.0"
+ "@smithy/types": "npm:^3.5.0"
+ "@smithy/util-middleware": "npm:^3.0.7"
+ fast-xml-parser: "npm:4.4.1"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/7113ccd670e76527d6a720cfb9f7ccd3113a63665bc5048af0b3477ffc5dbc62968b9b02fe4689a56390444a94fa446837f147e65ba091fb24ed095e4fe1f3d4
+ languageName: node
+ linkType: hard
+
"@aws-sdk/credential-provider-env@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/credential-provider-env@npm:3.677.0"
@@ -804,6 +1017,19 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/credential-provider-env@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/credential-provider-env@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/09de3d9d31a4c22d18ceca8818fcbb911c93eb4337477f4eb2e169f4877525a109b1110b264271b39914a5a13cfcb4e85e0cd8d20bf8006723dfadfe82b09ea9
+ languageName: node
+ linkType: hard
+
"@aws-sdk/credential-provider-http@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/credential-provider-http@npm:3.677.0"
@@ -822,6 +1048,24 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/credential-provider-http@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/credential-provider-http@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/fetch-http-handler": "npm:^3.2.9"
+ "@smithy/node-http-handler": "npm:^3.2.4"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/smithy-client": "npm:^3.4.0"
+ "@smithy/types": "npm:^3.5.0"
+ "@smithy/util-stream": "npm:^3.1.9"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/e03375673f97ce220c0c9b2bc8db73debd32200f59711bd4064f50b37cb5ba691816481bc12bc684670f4a721676c7171a95ce06c5e573718b4d5b6de0f48b6d
+ languageName: node
+ linkType: hard
+
"@aws-sdk/credential-provider-ini@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/credential-provider-ini@npm:3.677.0"
@@ -844,6 +1088,28 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/credential-provider-ini@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/credential-provider-ini@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/credential-provider-env": "npm:3.678.0"
+ "@aws-sdk/credential-provider-http": "npm:3.678.0"
+ "@aws-sdk/credential-provider-process": "npm:3.678.0"
+ "@aws-sdk/credential-provider-sso": "npm:3.678.0"
+ "@aws-sdk/credential-provider-web-identity": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/credential-provider-imds": "npm:^3.2.4"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/shared-ini-file-loader": "npm:^3.1.8"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ peerDependencies:
+ "@aws-sdk/client-sts": ^3.678.0
+ checksum: 10c0/48da167b454a1564c2e4b0e9e417f093b666f8815001be157320d3e1bc052d65e54430a8de186fb00315f9ef6859224244924db6e70d86995d28e05ddf5d9d1c
+ languageName: node
+ linkType: hard
+
"@aws-sdk/credential-provider-node@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/credential-provider-node@npm:3.677.0"
@@ -864,6 +1130,26 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/credential-provider-node@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/credential-provider-node@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/credential-provider-env": "npm:3.678.0"
+ "@aws-sdk/credential-provider-http": "npm:3.678.0"
+ "@aws-sdk/credential-provider-ini": "npm:3.678.0"
+ "@aws-sdk/credential-provider-process": "npm:3.678.0"
+ "@aws-sdk/credential-provider-sso": "npm:3.678.0"
+ "@aws-sdk/credential-provider-web-identity": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/credential-provider-imds": "npm:^3.2.4"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/shared-ini-file-loader": "npm:^3.1.8"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/5cf7b7197ba45ce217acd51c4e04bff601804e0a447e31103df3d5842ce9771cbed679b45e1750769f58cf9c64b3a7d27e9b0cc77e42f7680037a8c84a531719
+ languageName: node
+ linkType: hard
+
"@aws-sdk/credential-provider-process@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/credential-provider-process@npm:3.677.0"
@@ -878,6 +1164,20 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/credential-provider-process@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/credential-provider-process@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/shared-ini-file-loader": "npm:^3.1.8"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/793681c4234aadae9992debfdd8a5bb1dd2958c2f12c808789c450ed315fec3cc242a57538a8ba6a731439995b04fa8da2e4c5449274f33618ac61f288de5431
+ languageName: node
+ linkType: hard
+
"@aws-sdk/credential-provider-sso@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/credential-provider-sso@npm:3.677.0"
@@ -894,6 +1194,22 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/credential-provider-sso@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/credential-provider-sso@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/client-sso": "npm:3.678.0"
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/token-providers": "npm:3.667.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/shared-ini-file-loader": "npm:^3.1.8"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/ef1db0dc1b5a62b3c450d3ab5a1e86fb7083d2df855b7b312c5986c6fccfc97f10bfcdc31bf4f64482e8b5ef9c945f9ac82b23d6d3b79f8cfbc1b16fb5415f89
+ languageName: node
+ linkType: hard
+
"@aws-sdk/credential-provider-web-identity@npm:3.677.0":
version: 3.677.0
resolution: "@aws-sdk/credential-provider-web-identity@npm:3.677.0"
@@ -909,6 +1225,21 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/credential-provider-web-identity@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/credential-provider-web-identity@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/property-provider": "npm:^3.1.7"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ peerDependencies:
+ "@aws-sdk/client-sts": ^3.678.0
+ checksum: 10c0/68194b54ad7396e6dafc4f451d94b0d647d33a410bc9a3b9525e4b6e203177a2e77c6cdd359445875612d6499689359c762fffb46eda2f58fff2f55b06c8cac9
+ languageName: node
+ linkType: hard
+
"@aws-sdk/lib-storage@npm:^3.677.0":
version: 3.677.0
resolution: "@aws-sdk/lib-storage@npm:3.677.0"
@@ -1056,6 +1387,28 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/middleware-sdk-s3@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/middleware-sdk-s3@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@aws-sdk/util-arn-parser": "npm:3.568.0"
+ "@smithy/core": "npm:^2.4.8"
+ "@smithy/node-config-provider": "npm:^3.1.8"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/signature-v4": "npm:^4.2.0"
+ "@smithy/smithy-client": "npm:^3.4.0"
+ "@smithy/types": "npm:^3.5.0"
+ "@smithy/util-config-provider": "npm:^3.0.0"
+ "@smithy/util-middleware": "npm:^3.0.7"
+ "@smithy/util-stream": "npm:^3.1.9"
+ "@smithy/util-utf8": "npm:^3.0.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/f137d1ed8319f8f7d0f4270b92e971cfc6576a6fd97d6984ad36e02d0d0764c40f25cc8c8818917c8ea638780bd59f2cdf3e6b48f6396ca423e94f6841662018
+ languageName: node
+ linkType: hard
+
"@aws-sdk/middleware-sdk-sqs@npm:3.667.0":
version: 3.667.0
resolution: "@aws-sdk/middleware-sdk-sqs@npm:3.667.0"
@@ -1096,6 +1449,21 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/middleware-user-agent@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/middleware-user-agent@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/core": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@aws-sdk/util-endpoints": "npm:3.667.0"
+ "@smithy/core": "npm:^2.4.8"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/c2b86d7e5abb956a52ae3386f6e5243f1913f08b3593bdc5f97b1f0a7eb5089bcd5d92ed7e5c6ddfd20d09a05540e20c87d566b12462e8f70b714618065ff72f
+ languageName: node
+ linkType: hard
+
"@aws-sdk/region-config-resolver@npm:3.667.0":
version: 3.667.0
resolution: "@aws-sdk/region-config-resolver@npm:3.667.0"
@@ -1124,6 +1492,20 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/signature-v4-multi-region@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/signature-v4-multi-region@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/middleware-sdk-s3": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/protocol-http": "npm:^4.1.4"
+ "@smithy/signature-v4": "npm:^4.2.0"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ checksum: 10c0/12afa7d5e0a8f05ac5d8aef85c2cb18300d460a0706e5fd2ac6c65e37a964fb0694a927ef22b88690576ee18ace6e94a27e9e4db2f1f5999e82fd6dd3133276a
+ languageName: node
+ linkType: hard
+
"@aws-sdk/token-providers@npm:3.667.0":
version: 3.667.0
resolution: "@aws-sdk/token-providers@npm:3.667.0"
@@ -1139,7 +1521,7 @@ __metadata:
languageName: node
linkType: hard
-"@aws-sdk/types@npm:3.667.0":
+"@aws-sdk/types@npm:3.667.0, @aws-sdk/types@npm:^3.222.0, @aws-sdk/types@npm:^3.4.1, @aws-sdk/types@npm:^3.664.0":
version: 3.667.0
resolution: "@aws-sdk/types@npm:3.667.0"
dependencies:
@@ -1149,26 +1531,6 @@ __metadata:
languageName: node
linkType: hard
-"@aws-sdk/types@npm:^3.222.0, @aws-sdk/types@npm:^3.4.1":
- version: 3.609.0
- resolution: "@aws-sdk/types@npm:3.609.0"
- dependencies:
- "@smithy/types": "npm:^3.3.0"
- tslib: "npm:^2.6.2"
- checksum: 10c0/293249118c2fc3cdc79ff9712e3a9f757a2f38e7d5d770507b3bb31d22b8c67ed6f9bdd83c1b6319236b8257d5cc7e2882c15e076200021e8bbf41e4780d430c
- languageName: node
- linkType: hard
-
-"@aws-sdk/types@npm:^3.664.0":
- version: 3.664.0
- resolution: "@aws-sdk/types@npm:3.664.0"
- dependencies:
- "@smithy/types": "npm:^3.5.0"
- tslib: "npm:^2.6.2"
- checksum: 10c0/0f56e2dfc2990ded7fe3c3344a3ae0e21f835b4a251d309def04bf122b1da2336baf66fa78d6b9c4a82166d6ccd9cadcd4186f0c7bf7423e4db973dac63f2d74
- languageName: node
- linkType: hard
-
"@aws-sdk/util-arn-parser@npm:3.568.0":
version: 3.568.0
resolution: "@aws-sdk/util-arn-parser@npm:3.568.0"
@@ -1241,6 +1603,24 @@ __metadata:
languageName: node
linkType: hard
+"@aws-sdk/util-user-agent-node@npm:3.678.0":
+ version: 3.678.0
+ resolution: "@aws-sdk/util-user-agent-node@npm:3.678.0"
+ dependencies:
+ "@aws-sdk/middleware-user-agent": "npm:3.678.0"
+ "@aws-sdk/types": "npm:3.667.0"
+ "@smithy/node-config-provider": "npm:^3.1.8"
+ "@smithy/types": "npm:^3.5.0"
+ tslib: "npm:^2.6.2"
+ peerDependencies:
+ aws-crt: ">=1.0.0"
+ peerDependenciesMeta:
+ aws-crt:
+ optional: true
+ checksum: 10c0/c17b09c247c11c7ff14a7c3fd8b8976e3b28f339a5dbe5f0f4717096e7c1bd8a1132e494d7ef709871988b06528a8742c0af4407b8650276e135aa1671c7b865
+ languageName: node
+ linkType: hard
+
"@aws-sdk/xml-builder@npm:3.662.0":
version: 3.662.0
resolution: "@aws-sdk/xml-builder@npm:3.662.0"
@@ -4670,15 +5050,6 @@ __metadata:
languageName: node
linkType: hard
-"@smithy/types@npm:^3.3.0":
- version: 3.3.0
- resolution: "@smithy/types@npm:3.3.0"
- dependencies:
- tslib: "npm:^2.6.2"
- checksum: 10c0/ab2c2d621384a2bbdd31d5c90809395cb5c2a726afd69758895d5a630f932f6ae9a53ca7a9cd5d8c195df9278869b2420a2fb4fada47dee9e8c9d4e3c80a349e
- languageName: node
- linkType: hard
-
"@smithy/types@npm:^3.5.0":
version: 3.5.0
resolution: "@smithy/types@npm:3.5.0"
@@ -5291,16 +5662,7 @@ __metadata:
languageName: node
linkType: hard
-"@types/node@npm:*":
- version: 22.4.1
- resolution: "@types/node@npm:22.4.1"
- dependencies:
- undici-types: "npm:~6.19.2"
- checksum: 10c0/e42607438fcbd3a6aebd09084868fa0b22a4b0daf9eda79ed615df7ff8ae95e35ea56e090e1f3140ebae76b640abe42d4a6d5b60c0819eadf499adca737305b6
- languageName: node
- linkType: hard
-
-"@types/node@npm:^22.5.4":
+"@types/node@npm:*, @types/node@npm:^22.5.4":
version: 22.5.4
resolution: "@types/node@npm:22.5.4"
dependencies:
@@ -5925,14 +6287,14 @@ __metadata:
languageName: node
linkType: hard
-"aws-sdk-client-mock@npm:^4.0.2":
- version: 4.0.2
- resolution: "aws-sdk-client-mock@npm:4.0.2"
+"aws-sdk-client-mock@npm:^4.1.0":
+ version: 4.1.0
+ resolution: "aws-sdk-client-mock@npm:4.1.0"
dependencies:
"@types/sinon": "npm:^17.0.3"
sinon: "npm:^18.0.1"
tslib: "npm:^2.1.0"
- checksum: 10c0/3028bb4997e51efa8669f96e01b6c3841f0c5cfb4ae8e3087e31b556dc34193619cd7152f4c30eb65f5c851e384709f915a2d6ea6dd52f7ece7216a9942c213b
+ checksum: 10c0/045caad0cff0ffeb08e69849dcae51aac8999163c58d71220bf47a82c237aabab2abf92bf6bf3bd7666e6e8984513c628e01a89eafa46fb230201d6587bc01e9
languageName: node
linkType: hard
@@ -5968,18 +6330,7 @@ __metadata:
languageName: node
linkType: hard
-"axios@npm:^1.7.2, axios@npm:^1.7.4":
- version: 1.7.5
- resolution: "axios@npm:1.7.5"
- dependencies:
- follow-redirects: "npm:^1.15.6"
- form-data: "npm:^4.0.0"
- proxy-from-env: "npm:^1.1.0"
- checksum: 10c0/1d5daeb28b3d1bb2a7b9f0743433c4bfbeaddc15461e50ebde487eec6c009af2515749d5261096dd430c90cd891bd310bcba5ec3967bae2033c4a307f58a6ad3
- languageName: node
- linkType: hard
-
-"axios@npm:^1.7.7":
+"axios@npm:^1.7.2, axios@npm:^1.7.4, axios@npm:^1.7.7":
version: 1.7.7
resolution: "axios@npm:1.7.7"
dependencies:
@@ -6346,17 +6697,7 @@ __metadata:
languageName: node
linkType: hard
-"call-bind@npm:^1.0.2":
- version: 1.0.2
- resolution: "call-bind@npm:1.0.2"
- dependencies:
- function-bind: "npm:^1.1.1"
- get-intrinsic: "npm:^1.0.2"
- checksum: 10c0/74ba3f31e715456e22e451d8d098779b861eba3c7cac0d9b510049aced70d75c231ba05071f97e1812c98e34e2bee734c0c6126653e0088c2d9819ca047f4073
- languageName: node
- linkType: hard
-
-"call-bind@npm:^1.0.7":
+"call-bind@npm:^1.0.2, call-bind@npm:^1.0.7":
version: 1.0.7
resolution: "call-bind@npm:1.0.7"
dependencies:
@@ -7669,7 +8010,7 @@ __metadata:
languageName: node
linkType: hard
-"function-bind@npm:^1.1.1, function-bind@npm:^1.1.2":
+"function-bind@npm:^1.1.2":
version: 1.1.2
resolution: "function-bind@npm:1.1.2"
checksum: 10c0/d8680ee1e5fcd4c197e4ac33b2b4dce03c71f4d91717292785703db200f5c21f977c568d28061226f9b5900cbcd2c84463646134fd5337e7925e0942bc3f46d5
@@ -7690,18 +8031,7 @@ __metadata:
languageName: node
linkType: hard
-"get-intrinsic@npm:^1.0.2, get-intrinsic@npm:^1.1.3":
- version: 1.2.0
- resolution: "get-intrinsic@npm:1.2.0"
- dependencies:
- function-bind: "npm:^1.1.1"
- has: "npm:^1.0.3"
- has-symbols: "npm:^1.0.3"
- checksum: 10c0/7c564f6b1061e6ca9eb1abab424a2cf80b93e75dcde65229d504e4055aa0ea54f88330e9b75d10e41c72bca881a947e84193b3549a4692d836f304239a178d63
- languageName: node
- linkType: hard
-
-"get-intrinsic@npm:^1.2.4":
+"get-intrinsic@npm:^1.1.3, get-intrinsic@npm:^1.2.4":
version: 1.2.4
resolution: "get-intrinsic@npm:1.2.4"
dependencies:
@@ -7875,15 +8205,6 @@ __metadata:
languageName: node
linkType: hard
-"has@npm:^1.0.3":
- version: 1.0.3
- resolution: "has@npm:1.0.3"
- dependencies:
- function-bind: "npm:^1.1.1"
- checksum: 10c0/e1da0d2bd109f116b632f27782cf23182b42f14972ca9540e4c5aa7e52647407a0a4a76937334fddcb56befe94a3494825ec22b19b51f5e5507c3153fd1a5e1b
- languageName: node
- linkType: hard
-
"hasown@npm:^2.0.0":
version: 2.0.1
resolution: "hasown@npm:2.0.1"
@@ -10630,16 +10951,7 @@ __metadata:
languageName: node
linkType: hard
-"semver@npm:^7.0.0, semver@npm:^7.3.5, semver@npm:^7.5.3, semver@npm:^7.5.4, semver@npm:^7.6.0":
- version: 7.6.2
- resolution: "semver@npm:7.6.2"
- bin:
- semver: bin/semver.js
- checksum: 10c0/97d3441e97ace8be4b1976433d1c32658f6afaff09f143e52c593bae7eef33de19e3e369c88bd985ce1042c6f441c80c6803078d1de2a9988080b66684cbb30c
- languageName: node
- linkType: hard
-
-"semver@npm:^7.6.3":
+"semver@npm:^7.0.0, semver@npm:^7.3.5, semver@npm:^7.5.3, semver@npm:^7.5.4, semver@npm:^7.6.0, semver@npm:^7.6.3":
version: 7.6.3
resolution: "semver@npm:7.6.3"
bin:
diff --git a/main.tf b/main.tf
index 25346b30bd..12f0bd96bb 100644
--- a/main.tf
+++ b/main.tf
@@ -123,6 +123,7 @@ module "ssm" {
module "webhook" {
source = "./modules/webhook"
+
ssm_paths = {
root = local.ssm_root_path
webhook = var.ssm_paths.webhook
@@ -130,6 +131,7 @@ module "webhook" {
prefix = var.prefix
tags = local.tags
kms_key_arn = var.kms_key_arn
+ eventbridge = var.eventbridge
runner_matcher_config = {
(aws_sqs_queue.queued_builds.id) = {
diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md
index 1e399a1a1c..d47ea60c6f 100644
--- a/modules/multi-runner/README.md
+++ b/modules/multi-runner/README.md
@@ -131,7 +131,8 @@ module "multi-runner" {
| [enable\_ami\_housekeeper](#input\_enable\_ami\_housekeeper) | Option to disable the lambda to clean up old AMIs. | `bool` | `false` | no |
| [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
| [enable\_metrics\_control\_plane](#input\_enable\_metrics\_control\_plane) | (Experimental) Enable or disable the metrics for the module. Feature can change or renamed without a major release. | `bool` | `false` | no |
-| [enable\_workflow\_job\_events\_queue](#input\_enable\_workflow\_job\_events\_queue) | Enabling this experimental feature will create a secondory sqs queue to which a copy of the workflow\_job event will be delivered. | `bool` | `false` | no |
+| [enable\_workflow\_job\_events\_queue](#input\_enable\_workflow\_job\_events\_queue) | Enabling this experimental feature will create a secondary SQS queue to which a copy of the workflow\_job event will be delivered. | `bool` | `false` | no |
+| [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enabling this feature events will be put on the EventBridge by the webhook instead of directly dispatching to queues for scaling. | object({
enable = optional(bool, false)
accept_events = optional(list(string), [])
}) | `{}` | no |
| [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |
| [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no |
| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | object({
key_base64 = string
id = string
webhook_secret = string
}) | n/a | yes |
diff --git a/modules/multi-runner/outputs.tf b/modules/multi-runner/outputs.tf
index bc6624be27..0a7b99243f 100644
--- a/modules/multi-runner/outputs.tf
+++ b/modules/multi-runner/outputs.tf
@@ -38,6 +38,9 @@ output "webhook" {
lambda_log_group = module.webhook.lambda_log_group
lambda_role = module.webhook.role
endpoint = "${module.webhook.gateway.api_endpoint}/${module.webhook.endpoint_relative_path}"
+ webhook = module.webhook.webhook
+ dispatcher = var.eventbridge.enable ? module.webhook.dispatcher : null
+ eventbridge = var.eventbridge.enable ? module.webhook.eventbridge : null
}
}
diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf
index 553cc04594..a9d0a9f906 100644
--- a/modules/multi-runner/variables.tf
+++ b/modules/multi-runner/variables.tf
@@ -551,7 +551,7 @@ variable "pool_lambda_reserved_concurrent_executions" {
}
variable "enable_workflow_job_events_queue" {
- description = "Enabling this experimental feature will create a secondory sqs queue to which a copy of the workflow_job event will be delivered."
+ description = "Enabling this experimental feature will create a secondary SQS queue to which a copy of the workflow_job event will be delivered."
type = bool
default = false
}
@@ -683,3 +683,13 @@ variable "metrics" {
})
default = {}
}
+
+variable "eventbridge" {
+ description = "Enable the use of EventBridge by the module. By enabling this feature events will be put on the EventBridge by the webhook instead of directly dispatching to queues for scaling."
+ type = object({
+ enable = optional(bool, false)
+ accept_events = optional(list(string), [])
+ })
+
+ default = {}
+}
diff --git a/modules/multi-runner/webhook.tf b/modules/multi-runner/webhook.tf
index 573ebafbe0..9e70ca81a2 100644
--- a/modules/multi-runner/webhook.tf
+++ b/modules/multi-runner/webhook.tf
@@ -1,11 +1,12 @@
module "webhook" {
- source = "../webhook"
- prefix = var.prefix
- tags = local.tags
- kms_key_arn = var.kms_key_arn
-
+ source = "../webhook"
+ prefix = var.prefix
+ tags = local.tags
+ kms_key_arn = var.kms_key_arn
+ eventbridge = var.eventbridge
runner_matcher_config = local.runner_config
matcher_config_parameter_store_tier = var.matcher_config_parameter_store_tier
+
ssm_paths = {
root = local.ssm_root_path
webhook = var.ssm_paths.webhook
diff --git a/modules/webhook/README.md b/modules/webhook/README.md
index 4419b109d0..4408bc56af 100644
--- a/modules/webhook/README.md
+++ b/modules/webhook/README.md
@@ -2,11 +2,11 @@
> This module is treated as internal module, breaking changes will not trigger a major release bump.
-This module creates an API gateway endpoint and lambda function to handle GitHub App webhook events.
+The module can be deployed in two modes. 'Direct' messages, are delivered directly to the runner queues. 'EventBridge' messages are delivered to an EventBridge bus and then dispatched to the runner queues.
## Lambda Function
-The Lambda function is written in [TypeScript](https://www.typescriptlang.org/) and requires Node 12.x and yarn. Sources are located in [./lambdas/webhook].
+The Lambda function is written in [TypeScript](https://www.typescriptlang.org/) and requires Node and yarn. Sources are located in [./lambdas/webhook]. Check see `lambda.ts` for the different handler functions available.
### Install
@@ -44,11 +44,13 @@ yarn run dist
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | ~> 5.27 |
-| [null](#provider\_null) | ~> 3 |
## Modules
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| [direct](#module\_direct) | ./direct | n/a |
+| [eventbridge](#module\_eventbridge) | ./eventbridge | n/a |
## Resources
@@ -58,26 +60,14 @@ No modules.
| [aws_apigatewayv2_integration.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_integration) | resource |
| [aws_apigatewayv2_route.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_route) | resource |
| [aws_apigatewayv2_stage.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage) | resource |
-| [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy.webhook_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy.webhook_workflow_job_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy_attachment.webhook_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_lambda_function.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
-| [aws_lambda_permission.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_ssm_parameter.runner_matcher_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
-| [null_resource.github_app_parameters](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [aws_iam_policy_document.lambda_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no |
+| [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enabling this feature events will be put on the EventBridge by the webhook instead of directly dispatching to queues for scaling.
`enable`: Enable the EventBridge feature.
`accept_events`: List can be used to only allow specific events to be putted on the EventBridge. By default all events, empty list will be be interpreted as all events. | object({
enable = optional(bool, false)
accept_events = optional(list(string), null)
}) | n/a | yes |
| [github\_app\_parameters](#input\_github\_app\_parameters) | Parameter Store for GitHub App Parameters. | object({
webhook_secret = map(string)
}) | n/a | yes |
| [kms\_key\_arn](#input\_kms\_key\_arn) | Optional CMK Key ARN to be used for Parameter Store. | `string` | `null` | no |
| [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no |
@@ -110,9 +100,12 @@ No modules.
| Name | Description |
|------|-------------|
+| [dispatcher](#output\_dispatcher) | n/a |
| [endpoint\_relative\_path](#output\_endpoint\_relative\_path) | n/a |
+| [eventbridge](#output\_eventbridge) | n/a |
| [gateway](#output\_gateway) | n/a |
| [lambda](#output\_lambda) | n/a |
| [lambda\_log\_group](#output\_lambda\_log\_group) | n/a |
| [role](#output\_role) | n/a |
+| [webhook](#output\_webhook) | n/a |
diff --git a/modules/webhook/direct/README.md b/modules/webhook/direct/README.md
new file mode 100644
index 0000000000..be9390c3dc
--- /dev/null
+++ b/modules/webhook/direct/README.md
@@ -0,0 +1,52 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.3.0 |
+| [aws](#requirement\_aws) | ~> 5.27 |
+| [null](#requirement\_null) | ~> 3.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 5.27 |
+| [null](#provider\_null) | ~> 3.2 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_workflow_job_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.webhook_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_permission.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [null_resource.github_app_parameters](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.ssm_parameter_runner_matcher_config](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_iam_policy_document.lambda_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [config](#input\_config) | Configuration object for all variables. | object({
prefix = string
archive = optional(object({
enable = optional(bool, true)
retention_days = optional(number, 7)
}), {})
tags = optional(map(string), {})
lambda_subnet_ids = optional(list(string), [])
lambda_security_group_ids = optional(list(string), [])
sqs_job_queues_arns = list(string)
sqs_workflow_job_queue = optional(object({
id = string
arn = string
}), null)
lambda_zip = optional(string, null)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 10)
role_permissions_boundary = optional(string, null)
role_path = optional(string, null)
logging_retention_in_days = optional(number, 180)
logging_kms_key_id = optional(string, null)
lambda_s3_bucket = optional(string, null)
lambda_s3_key = optional(string, null)
lambda_s3_object_version = optional(string, null)
lambda_apigateway_access_log_settings = optional(object({
destination_arn = string
format = string
}), null)
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
lambda_runtime = optional(string, "nodejs20.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
webhook_secret = map(string)
})
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
lambda_tags = optional(map(string), {})
api_gw_source_arn = string
ssm_parameter_runner_matcher_config = object({
name = string
arn = string
version = string
})
}) | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [webhook](#output\_webhook) | n/a |
+| [webhook\_lambda\_function](#output\_webhook\_lambda\_function) | n/a |
+
\ No newline at end of file
diff --git a/modules/webhook/direct/main.tf b/modules/webhook/direct/main.tf
new file mode 100644
index 0000000000..9937792f5e
--- /dev/null
+++ b/modules/webhook/direct/main.tf
@@ -0,0 +1,6 @@
+
+resource "null_resource" "ssm_parameter_runner_matcher_config" {
+ triggers = {
+ version = var.config.ssm_parameter_runner_matcher_config.version
+ }
+}
diff --git a/modules/webhook/direct/outputs.tf b/modules/webhook/direct/outputs.tf
new file mode 100644
index 0000000000..891821c727
--- /dev/null
+++ b/modules/webhook/direct/outputs.tf
@@ -0,0 +1,12 @@
+output "webhook_lambda_function" {
+ value = aws_lambda_function.webhook
+}
+
+
+output "webhook" {
+ value = {
+ lambda = aws_lambda_function.webhook
+ log_group = aws_cloudwatch_log_group.webhook
+ role = aws_iam_role.webhook_lambda
+ }
+}
diff --git a/modules/webhook/policies.tf b/modules/webhook/direct/policies.tf
similarity index 83%
rename from modules/webhook/policies.tf
rename to modules/webhook/direct/policies.tf
index 454d943b4b..23bfea7d24 100644
--- a/modules/webhook/policies.tf
+++ b/modules/webhook/direct/policies.tf
@@ -1,5 +1,5 @@
data "aws_iam_policy_document" "lambda_xray" {
- count = var.tracing_config.mode != null ? 1 : 0
+ count = var.config.tracing_config.mode != null ? 1 : 0
statement {
actions = [
"xray:BatchGetTraces",
diff --git a/modules/webhook/direct/variables.tf b/modules/webhook/direct/variables.tf
new file mode 100644
index 0000000000..dabad516a9
--- /dev/null
+++ b/modules/webhook/direct/variables.tf
@@ -0,0 +1,54 @@
+variable "config" {
+ description = "Configuration object for all variables."
+ type = object({
+ prefix = string
+ archive = optional(object({
+ enable = optional(bool, true)
+ retention_days = optional(number, 7)
+ }), {})
+ tags = optional(map(string), {})
+
+ lambda_subnet_ids = optional(list(string), [])
+ lambda_security_group_ids = optional(list(string), [])
+ sqs_job_queues_arns = list(string)
+ sqs_workflow_job_queue = optional(object({
+ id = string
+ arn = string
+ }), null)
+ lambda_zip = optional(string, null)
+ lambda_memory_size = optional(number, 256)
+ lambda_timeout = optional(number, 10)
+ role_permissions_boundary = optional(string, null)
+ role_path = optional(string, null)
+ logging_retention_in_days = optional(number, 180)
+ logging_kms_key_id = optional(string, null)
+ lambda_s3_bucket = optional(string, null)
+ lambda_s3_key = optional(string, null)
+ lambda_s3_object_version = optional(string, null)
+ lambda_apigateway_access_log_settings = optional(object({
+ destination_arn = string
+ format = string
+ }), null)
+ repository_white_list = optional(list(string), [])
+ kms_key_arn = optional(string, null)
+ log_level = optional(string, "info")
+ lambda_runtime = optional(string, "nodejs20.x")
+ aws_partition = optional(string, "aws")
+ lambda_architecture = optional(string, "arm64")
+ github_app_parameters = object({
+ webhook_secret = map(string)
+ })
+ tracing_config = optional(object({
+ mode = optional(string, null)
+ capture_http_requests = optional(bool, false)
+ capture_error = optional(bool, false)
+ }), {})
+ lambda_tags = optional(map(string), {})
+ api_gw_source_arn = string
+ ssm_parameter_runner_matcher_config = object({
+ name = string
+ arn = string
+ version = string
+ })
+ })
+}
diff --git a/modules/webhook/direct/versions.tf b/modules/webhook/direct/versions.tf
new file mode 100644
index 0000000000..d780c7775c
--- /dev/null
+++ b/modules/webhook/direct/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 1.3.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.27"
+ }
+
+ null = {
+ source = "hashicorp/null"
+ version = "~> 3.2"
+ }
+ }
+}
diff --git a/modules/webhook/direct/webhook.tf b/modules/webhook/direct/webhook.tf
new file mode 100644
index 0000000000..9fd24e3d30
--- /dev/null
+++ b/modules/webhook/direct/webhook.tf
@@ -0,0 +1,149 @@
+locals {
+ lambda_zip = var.config.lambda_zip == null ? "${path.module}/../../../lambdas/functions/webhook/webhook.zip" : var.config.lambda_zip
+}
+
+resource "aws_lambda_function" "webhook" {
+ s3_bucket = var.config.lambda_s3_bucket != null ? var.config.lambda_s3_bucket : null
+ s3_key = var.config.lambda_s3_key != null ? var.config.lambda_s3_key : null
+ s3_object_version = var.config.lambda_s3_object_version != null ? var.config.lambda_s3_object_version : null
+ filename = var.config.lambda_s3_bucket == null ? local.lambda_zip : null
+ source_code_hash = var.config.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
+ function_name = "${var.config.prefix}-webhook"
+ role = aws_iam_role.webhook_lambda.arn
+ handler = "index.directWebhook"
+ runtime = var.config.lambda_runtime
+ memory_size = var.config.lambda_memory_size
+ timeout = var.config.lambda_timeout
+ architectures = [var.config.lambda_architecture]
+
+ environment {
+ variables = {
+ for k, v in {
+ LOG_LEVEL = var.config.log_level
+ POWERTOOLS_LOGGER_LOG_EVENT = var.config.log_level == "debug" ? "true" : "false"
+ POWERTOOLS_TRACE_ENABLED = var.config.tracing_config.mode != null ? true : false
+ POWERTOOLS_TRACER_CAPTURE_HTTPS_REQUESTS = var.config.tracing_config.capture_http_requests
+ POWERTOOLS_TRACER_CAPTURE_ERROR = var.config.tracing_config.capture_error
+ PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.config.github_app_parameters.webhook_secret.name
+ REPOSITORY_ALLOW_LIST = jsonencode(var.config.repository_white_list)
+ SQS_WORKFLOW_JOB_QUEUE = try(var.config.sqs_workflow_job_queue.id, null)
+ PARAMETER_RUNNER_MATCHER_CONFIG_PATH = var.config.ssm_parameter_runner_matcher_config.name
+ } : k => v if v != null
+ }
+ }
+
+ dynamic "vpc_config" {
+ for_each = var.config.lambda_subnet_ids != null && var.config.lambda_security_group_ids != null ? [true] : []
+ content {
+ security_group_ids = var.config.lambda_security_group_ids
+ subnet_ids = var.config.lambda_subnet_ids
+ }
+ }
+
+ tags = merge(var.config.tags, var.config.lambda_tags)
+
+ dynamic "tracing_config" {
+ for_each = var.config.tracing_config.mode != null ? [true] : []
+ content {
+ mode = var.config.tracing_config.mode
+ }
+ }
+
+ lifecycle {
+ replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
+ }
+}
+
+resource "aws_cloudwatch_log_group" "webhook" {
+ name = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
+ retention_in_days = var.config.logging_retention_in_days
+ kms_key_id = var.config.logging_kms_key_id
+ tags = var.config.tags
+}
+
+resource "aws_lambda_permission" "webhook" {
+ statement_id = "AllowExecutionFromAPIGateway"
+ action = "lambda:InvokeFunction"
+ function_name = aws_lambda_function.webhook.function_name
+ principal = "apigateway.amazonaws.com"
+ source_arn = var.config.api_gw_source_arn
+ lifecycle {
+ replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
+ }
+}
+
+resource "null_resource" "github_app_parameters" {
+ triggers = {
+ github_app_webhook_secret = var.config.github_app_parameters.webhook_secret.name
+ }
+}
+
+data "aws_iam_policy_document" "lambda_assume_role_policy" {
+ statement {
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["lambda.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "webhook_lambda" {
+ name = "${var.config.prefix}-direct-webhook-lambda-role"
+ assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
+ path = var.config.role_path
+ permissions_boundary = var.config.role_permissions_boundary
+ tags = var.config.tags
+}
+
+resource "aws_iam_role_policy" "webhook_logging" {
+ name = "logging-policy"
+ role = aws_iam_role.webhook_lambda.name
+ policy = templatefile("${path.module}/../policies/lambda-cloudwatch.json", {
+ log_group_arn = aws_cloudwatch_log_group.webhook.arn
+ })
+}
+
+resource "aws_iam_role_policy_attachment" "webhook_vpc_execution_role" {
+ count = length(var.config.lambda_subnet_ids) > 0 ? 1 : 0
+ role = aws_iam_role.webhook_lambda.name
+ policy_arn = "arn:${var.config.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy" "webhook_sqs" {
+ name = "publish-sqs-policy"
+ role = aws_iam_role.webhook_lambda.name
+
+ policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
+ sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
+ kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+ })
+}
+
+resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
+ count = var.config.sqs_workflow_job_queue != null ? 1 : 0
+ name = "publish-workflow-job-sqs-policy"
+ role = aws_iam_role.webhook_lambda.name
+
+ policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
+ sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn])
+ kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+ })
+}
+
+resource "aws_iam_role_policy" "webhook_ssm" {
+ name = "publish-ssm-policy"
+ role = aws_iam_role.webhook_lambda.name
+
+ policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
+ resource_arns = jsonencode([var.config.github_app_parameters.webhook_secret.arn, var.config.ssm_parameter_runner_matcher_config.arn])
+ })
+}
+
+resource "aws_iam_role_policy" "xray" {
+ count = var.config.tracing_config.mode != null ? 1 : 0
+ name = "xray-policy"
+ policy = data.aws_iam_policy_document.lambda_xray[0].json
+ role = aws_iam_role.webhook_lambda.name
+}
diff --git a/modules/webhook/eventbridge/README.md b/modules/webhook/eventbridge/README.md
new file mode 100644
index 0000000000..6426772d3d
--- /dev/null
+++ b/modules/webhook/eventbridge/README.md
@@ -0,0 +1,65 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.3.0 |
+| [aws](#requirement\_aws) | ~> 5.0 |
+| [null](#requirement\_null) | ~> 3.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 5.0 |
+| [null](#provider\_null) | ~> 3.2 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_event_archive.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_archive) | resource |
+| [aws_cloudwatch_event_bus.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_bus) | resource |
+| [aws_cloudwatch_event_rule.workflow_job](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.github_welcome](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_log_group.dispatcher](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_role.dispatcher_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.webhook_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.dispatcher_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.dispatcher_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.dispatcher_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.dispatcher_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.dispatcher_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.webhook_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.dispatcher](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_permission.allow_cloudwatch_to_call_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [null_resource.github_app_parameters](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.ssm_parameter_runner_matcher_config](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_iam_policy_document.lambda_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [config](#input\_config) | Configuration object for all variables. | object({
prefix = string
archive = optional(object({
enable = optional(bool, true)
retention_days = optional(number, 7)
}), {})
tags = optional(map(string), {})
lambda_subnet_ids = optional(list(string), [])
lambda_security_group_ids = optional(list(string), [])
sqs_job_queues_arns = list(string)
sqs_workflow_job_queue = optional(object({
id = string
arn = string
}), null)
lambda_zip = optional(string, null)
lambda_memory_size = optional(number, 256)
lambda_timeout = optional(number, 10)
role_permissions_boundary = optional(string, null)
role_path = optional(string, null)
logging_retention_in_days = optional(number, 180)
logging_kms_key_id = optional(string, null)
lambda_s3_bucket = optional(string, null)
lambda_s3_key = optional(string, null)
lambda_s3_object_version = optional(string, null)
lambda_apigateway_access_log_settings = optional(object({
destination_arn = string
format = string
}), null)
repository_white_list = optional(list(string), [])
kms_key_arn = optional(string, null)
log_level = optional(string, "info")
lambda_runtime = optional(string, "nodejs20.x")
aws_partition = optional(string, "aws")
lambda_architecture = optional(string, "arm64")
github_app_parameters = object({
webhook_secret = map(string)
})
tracing_config = optional(object({
mode = optional(string, null)
capture_http_requests = optional(bool, false)
capture_error = optional(bool, false)
}), {})
lambda_tags = optional(map(string), {})
api_gw_source_arn = string
ssm_parameter_runner_matcher_config = object({
name = string
arn = string
version = string
})
accept_events = optional(list(string), null)
}) | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [dispatcher](#output\_dispatcher) | n/a |
+| [eventbridge](#output\_eventbridge) | n/a |
+| [webhook](#output\_webhook) | n/a |
+
\ No newline at end of file
diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf
new file mode 100644
index 0000000000..93d9af84e1
--- /dev/null
+++ b/modules/webhook/eventbridge/dispatcher.tf
@@ -0,0 +1,137 @@
+resource "aws_cloudwatch_event_rule" "workflow_job" {
+ name = "${var.config.prefix}-workflow_job"
+ description = "Workflow job event ruule for job queued."
+ event_bus_name = aws_cloudwatch_event_bus.main.name
+
+ event_pattern = < v if v != null
+ }
+ }
+
+ dynamic "vpc_config" {
+ for_each = var.config.lambda_subnet_ids != null && var.config.lambda_security_group_ids != null ? [true] : []
+ content {
+ security_group_ids = var.config.lambda_security_group_ids
+ subnet_ids = var.config.lambda_subnet_ids
+ }
+ }
+
+ tags = merge(var.config.tags, var.config.lambda_tags)
+
+ dynamic "tracing_config" {
+ for_each = var.config.tracing_config.mode != null ? [true] : []
+ content {
+ mode = var.config.tracing_config.mode
+ }
+ }
+
+ lifecycle {
+ replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
+ }
+}
+
+resource "aws_cloudwatch_log_group" "dispatcher" {
+ name = "/aws/lambda/${aws_lambda_function.dispatcher.function_name}"
+ retention_in_days = var.config.logging_retention_in_days
+ kms_key_id = var.config.logging_kms_key_id
+ tags = var.config.tags
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda" {
+ statement_id = "AllowExecutionFromCloudWatch"
+ action = "lambda:InvokeFunction"
+ function_name = aws_lambda_function.dispatcher.function_name
+ principal = "events.amazonaws.com"
+ source_arn = aws_cloudwatch_event_rule.workflow_job.arn
+}
+
+resource "aws_iam_role" "dispatcher_lambda" {
+ name = "${var.config.prefix}-dispatcher-lambda-role"
+ assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
+ path = var.config.role_path
+ permissions_boundary = var.config.role_permissions_boundary
+ tags = var.config.tags
+}
+
+resource "aws_iam_role_policy" "dispatcher_logging" {
+ name = "logging-policy"
+ role = aws_iam_role.dispatcher_lambda.name
+ policy = templatefile("${path.module}/../policies/lambda-cloudwatch.json", {
+ log_group_arn = aws_cloudwatch_log_group.dispatcher.arn
+ })
+}
+
+resource "aws_iam_role_policy_attachment" "dispatcher_vpc_execution_role" {
+ count = length(var.config.lambda_subnet_ids) > 0 ? 1 : 0
+ role = aws_iam_role.dispatcher_lambda.name
+ policy_arn = "arn:${var.config.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy" "dispatcher_sqs" {
+ name = "publish-sqs-policy"
+ role = aws_iam_role.dispatcher_lambda.name
+
+ policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
+ sqs_resource_arns = jsonencode(var.config.sqs_job_queues_arns)
+ kms_key_arn = var.config.kms_key_arn != null ? var.config.kms_key_arn : ""
+ })
+}
+
+resource "aws_iam_role_policy" "dispatcher_ssm" {
+ name = "publish-ssm-policy"
+ role = aws_iam_role.dispatcher_lambda.name
+
+ policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
+ resource_arns = jsonencode([var.config.ssm_parameter_runner_matcher_config.arn])
+ })
+}
+
+resource "aws_iam_role_policy" "dispatcher_xray" {
+ count = var.config.tracing_config.mode != null ? 1 : 0
+ name = "xray-policy"
+ policy = data.aws_iam_policy_document.lambda_xray[0].json
+ role = aws_iam_role.dispatcher_lambda.name
+}
diff --git a/modules/webhook/eventbridge/main.tf b/modules/webhook/eventbridge/main.tf
new file mode 100644
index 0000000000..79ba724c51
--- /dev/null
+++ b/modules/webhook/eventbridge/main.tf
@@ -0,0 +1,21 @@
+locals {
+ name = "${var.config.prefix}-runners"
+ lambda_zip = var.config.lambda_zip == null ? "${path.module}/../../../lambdas/functions/webhook/webhook.zip" : var.config.lambda_zip
+}
+
+resource "aws_cloudwatch_event_bus" "main" {
+ name = local.name
+ tags = var.config.tags
+}
+
+resource "aws_cloudwatch_event_archive" "main" {
+ name = "${local.name}-archive"
+ event_source_arn = aws_cloudwatch_event_bus.main.arn
+ retention_days = var.config.archive.retention_days
+}
+
+resource "null_resource" "ssm_parameter_runner_matcher_config" {
+ triggers = {
+ version = var.config.ssm_parameter_runner_matcher_config.version
+ }
+}
diff --git a/modules/webhook/eventbridge/outputs.tf b/modules/webhook/eventbridge/outputs.tf
new file mode 100644
index 0000000000..3f7c4fde1d
--- /dev/null
+++ b/modules/webhook/eventbridge/outputs.tf
@@ -0,0 +1,22 @@
+output "eventbridge" {
+ value = {
+ event_bus = aws_cloudwatch_event_bus.main
+ archive = aws_cloudwatch_event_archive.main
+ }
+}
+
+output "webhook" {
+ value = {
+ lambda = aws_lambda_function.webhook
+ log_group = aws_cloudwatch_log_group.webhook
+ role = aws_iam_role.webhook_lambda
+ }
+}
+
+output "dispatcher" {
+ value = {
+ lambda = aws_lambda_function.dispatcher
+ log_group = aws_cloudwatch_log_group.dispatcher
+ role = aws_iam_role.dispatcher_lambda
+ }
+}
diff --git a/modules/webhook/eventbridge/policies.tf b/modules/webhook/eventbridge/policies.tf
new file mode 100644
index 0000000000..23bfea7d24
--- /dev/null
+++ b/modules/webhook/eventbridge/policies.tf
@@ -0,0 +1,16 @@
+data "aws_iam_policy_document" "lambda_xray" {
+ count = var.config.tracing_config.mode != null ? 1 : 0
+ statement {
+ actions = [
+ "xray:BatchGetTraces",
+ "xray:GetTraceSummaries",
+ "xray:PutTelemetryRecords",
+ "xray:PutTraceSegments"
+ ]
+ effect = "Allow"
+ resources = [
+ "*"
+ ]
+ sid = "AllowXRay"
+ }
+}
diff --git a/modules/webhook/eventbridge/variables.tf b/modules/webhook/eventbridge/variables.tf
new file mode 100644
index 0000000000..8980c6b5bc
--- /dev/null
+++ b/modules/webhook/eventbridge/variables.tf
@@ -0,0 +1,55 @@
+variable "config" {
+ description = "Configuration object for all variables."
+ type = object({
+ prefix = string
+ archive = optional(object({
+ enable = optional(bool, true)
+ retention_days = optional(number, 7)
+ }), {})
+ tags = optional(map(string), {})
+
+ lambda_subnet_ids = optional(list(string), [])
+ lambda_security_group_ids = optional(list(string), [])
+ sqs_job_queues_arns = list(string)
+ sqs_workflow_job_queue = optional(object({
+ id = string
+ arn = string
+ }), null)
+ lambda_zip = optional(string, null)
+ lambda_memory_size = optional(number, 256)
+ lambda_timeout = optional(number, 10)
+ role_permissions_boundary = optional(string, null)
+ role_path = optional(string, null)
+ logging_retention_in_days = optional(number, 180)
+ logging_kms_key_id = optional(string, null)
+ lambda_s3_bucket = optional(string, null)
+ lambda_s3_key = optional(string, null)
+ lambda_s3_object_version = optional(string, null)
+ lambda_apigateway_access_log_settings = optional(object({
+ destination_arn = string
+ format = string
+ }), null)
+ repository_white_list = optional(list(string), [])
+ kms_key_arn = optional(string, null)
+ log_level = optional(string, "info")
+ lambda_runtime = optional(string, "nodejs20.x")
+ aws_partition = optional(string, "aws")
+ lambda_architecture = optional(string, "arm64")
+ github_app_parameters = object({
+ webhook_secret = map(string)
+ })
+ tracing_config = optional(object({
+ mode = optional(string, null)
+ capture_http_requests = optional(bool, false)
+ capture_error = optional(bool, false)
+ }), {})
+ lambda_tags = optional(map(string), {})
+ api_gw_source_arn = string
+ ssm_parameter_runner_matcher_config = object({
+ name = string
+ arn = string
+ version = string
+ })
+ accept_events = optional(list(string), null)
+ })
+}
diff --git a/modules/webhook/eventbridge/versions.tf b/modules/webhook/eventbridge/versions.tf
new file mode 100644
index 0000000000..c53c0999f4
--- /dev/null
+++ b/modules/webhook/eventbridge/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+ required_version = ">= 1.3.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+
+ null = {
+ source = "hashicorp/null"
+ version = "~> 3.2"
+ }
+ }
+}
diff --git a/modules/webhook/eventbridge/webhook.tf b/modules/webhook/eventbridge/webhook.tf
new file mode 100644
index 0000000000..7c47a5d19b
--- /dev/null
+++ b/modules/webhook/eventbridge/webhook.tf
@@ -0,0 +1,135 @@
+resource "aws_lambda_function" "webhook" {
+ s3_bucket = var.config.lambda_s3_bucket != null ? var.config.lambda_s3_bucket : null
+ s3_key = var.config.lambda_s3_key != null ? var.config.lambda_s3_key : null
+ s3_object_version = var.config.lambda_s3_object_version != null ? var.config.lambda_s3_object_version : null
+ filename = var.config.lambda_s3_bucket == null ? local.lambda_zip : null
+ source_code_hash = var.config.lambda_s3_bucket == null ? filebase64sha256(local.lambda_zip) : null
+ function_name = "${var.config.prefix}-webhook"
+ role = aws_iam_role.webhook_lambda.arn
+ handler = "index.eventBridgeWebhook"
+ runtime = var.config.lambda_runtime
+ memory_size = var.config.lambda_memory_size
+ timeout = var.config.lambda_timeout
+ architectures = [var.config.lambda_architecture]
+
+ environment {
+ variables = {
+ for k, v in {
+ LOG_LEVEL = var.config.log_level
+ POWERTOOLS_LOGGER_LOG_EVENT = var.config.log_level == "debug" ? "true" : "false"
+ POWERTOOLS_SERVICE_NAME = "webhook"
+ POWERTOOLS_TRACE_ENABLED = var.config.tracing_config.mode != null ? true : false
+ POWERTOOLS_TRACER_CAPTURE_HTTPS_REQUESTS = var.config.tracing_config.capture_http_requests
+ POWERTOOLS_TRACER_CAPTURE_ERROR = var.config.tracing_config.capture_error
+ # Parameters required for lambda configuration
+ ACCEPT_EVENTS = jsonencode(var.config.accept_events)
+ EVENT_BUS_NAME = aws_cloudwatch_event_bus.main.name
+ PARAMETER_GITHUB_APP_WEBHOOK_SECRET = var.config.github_app_parameters.webhook_secret.name
+ PARAMETER_RUNNER_MATCHER_CONFIG_PATH = var.config.ssm_parameter_runner_matcher_config.name
+ } : k => v if v != null
+ }
+ }
+
+ dynamic "vpc_config" {
+ for_each = var.config.lambda_subnet_ids != null && var.config.lambda_security_group_ids != null ? [true] : []
+ content {
+ security_group_ids = var.config.lambda_security_group_ids
+ subnet_ids = var.config.lambda_subnet_ids
+ }
+ }
+
+ tags = merge(var.config.tags, var.config.lambda_tags)
+
+ dynamic "tracing_config" {
+ for_each = var.config.tracing_config.mode != null ? [true] : []
+ content {
+ mode = var.config.tracing_config.mode
+ }
+ }
+
+ lifecycle {
+ replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
+ }
+}
+
+resource "aws_cloudwatch_log_group" "webhook" {
+ name = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
+ retention_in_days = var.config.logging_retention_in_days
+ kms_key_id = var.config.logging_kms_key_id
+ tags = var.config.tags
+}
+
+resource "aws_lambda_permission" "webhook" {
+ statement_id = "AllowExecutionFromAPIGateway"
+ action = "lambda:InvokeFunction"
+ function_name = aws_lambda_function.webhook.function_name
+ principal = "apigateway.amazonaws.com"
+ source_arn = var.config.api_gw_source_arn
+ lifecycle {
+ replace_triggered_by = [null_resource.ssm_parameter_runner_matcher_config, null_resource.github_app_parameters]
+ }
+}
+
+resource "null_resource" "github_app_parameters" {
+ triggers = {
+ github_app_webhook_secret = var.config.github_app_parameters.webhook_secret.name
+ }
+}
+
+data "aws_iam_policy_document" "lambda_assume_role_policy" {
+ statement {
+ actions = ["sts:AssumeRole"]
+
+ principals {
+ type = "Service"
+ identifiers = ["lambda.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "webhook_lambda" {
+ name = "${var.config.prefix}-eventbridge-webhook-lambda-role"
+ assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
+ path = var.config.role_path
+ permissions_boundary = var.config.role_permissions_boundary
+ tags = var.config.tags
+}
+
+resource "aws_iam_role_policy" "webhook_logging" {
+ name = "logging-policy"
+ role = aws_iam_role.webhook_lambda.name
+ policy = templatefile("${path.module}/../policies/lambda-cloudwatch.json", {
+ log_group_arn = aws_cloudwatch_log_group.webhook.arn
+ })
+}
+
+resource "aws_iam_role_policy_attachment" "webhook_vpc_execution_role" {
+ count = length(var.config.lambda_subnet_ids) > 0 ? 1 : 0
+ role = aws_iam_role.webhook_lambda.name
+ policy_arn = "arn:${var.config.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy" "webhook_eventbridge" {
+ name = "publish-eventbridge-policy"
+ role = aws_iam_role.webhook_lambda.name
+
+ policy = templatefile("${path.module}/../policies/lambda-publish-eventbridge-policy.json", {
+ resource_arns = jsonencode(aws_cloudwatch_event_bus.main.arn)
+ })
+}
+
+resource "aws_iam_role_policy" "webhook_ssm" {
+ name = "publish-ssm-policy"
+ role = aws_iam_role.webhook_lambda.name
+
+ policy = templatefile("${path.module}/../policies/lambda-ssm.json", {
+ resource_arns = jsonencode([var.config.github_app_parameters.webhook_secret.arn])
+ })
+}
+
+resource "aws_iam_role_policy" "xray" {
+ count = var.config.tracing_config.mode != null ? 1 : 0
+ name = "xray-policy"
+ policy = data.aws_iam_policy_document.lambda_xray[0].json
+ role = aws_iam_role.webhook_lambda.name
+}
diff --git a/modules/webhook/main.tf b/modules/webhook/main.tf
index 71fc36fea1..2dd0624b48 100644
--- a/modules/webhook/main.tf
+++ b/modules/webhook/main.tf
@@ -1,7 +1,6 @@
locals {
webhook_endpoint = "webhook"
role_path = var.role_path == null ? "/${var.prefix}/" : var.role_path
- lambda_zip = var.lambda_zip == null ? "${path.module}/../../lambdas/functions/webhook/webhook.zip" : var.lambda_zip
}
resource "aws_apigatewayv2_api" "webhook" {
@@ -63,13 +62,5 @@ resource "aws_apigatewayv2_integration" "webhook" {
connection_type = "INTERNET"
description = "GitHub App webhook for receiving build events."
integration_method = "POST"
- integration_uri = aws_lambda_function.webhook.invoke_arn
-}
-
-
-resource "aws_ssm_parameter" "runner_matcher_config" {
- name = "${var.ssm_paths.root}/${var.ssm_paths.webhook}/runner-matcher-config"
- type = "String"
- value = jsonencode(local.runner_matcher_config_sorted)
- tier = var.matcher_config_parameter_store_tier
+ integration_uri = !var.eventbridge.enable ? module.direct[0].webhook.lambda.invoke_arn : module.eventbridge[0].webhook.lambda.invoke_arn
}
diff --git a/modules/webhook/outputs.tf b/modules/webhook/outputs.tf
index f368c0448c..b89cc10f92 100644
--- a/modules/webhook/outputs.tf
+++ b/modules/webhook/outputs.tf
@@ -2,18 +2,32 @@ output "gateway" {
value = aws_apigatewayv2_api.webhook
}
+output "endpoint_relative_path" {
+ value = local.webhook_endpoint
+}
+
+output "webhook" {
+ value = !var.eventbridge.enable ? module.direct[0].webhook : module.eventbridge[0].webhook
+}
+
+output "dispatcher" {
+ value = var.eventbridge.enable ? module.eventbridge[0].dispatcher : null
+}
+
+output "eventbridge" {
+ value = var.eventbridge.enable ? module.eventbridge[0].eventbridge : null
+}
+
+### For backwards compatibility
+
output "lambda" {
- value = aws_lambda_function.webhook
+ value = !var.eventbridge.enable ? module.direct[0].webhook.lambda : module.eventbridge[0].webhook.lambda
}
output "lambda_log_group" {
- value = aws_cloudwatch_log_group.webhook
+ value = !var.eventbridge.enable ? module.direct[0].webhook.log_group : module.eventbridge[0].webhook.log_group
}
output "role" {
- value = aws_iam_role.webhook_lambda
-}
-
-output "endpoint_relative_path" {
- value = local.webhook_endpoint
+ value = !var.eventbridge.enable ? module.direct[0].webhook.role : module.eventbridge[0].webhook.role
}
diff --git a/modules/webhook/policies/lambda-publish-eventbridge-policy.json b/modules/webhook/policies/lambda-publish-eventbridge-policy.json
new file mode 100644
index 0000000000..6ed365f3e6
--- /dev/null
+++ b/modules/webhook/policies/lambda-publish-eventbridge-policy.json
@@ -0,0 +1,10 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": ["events:PutEvents"],
+ "Resource": ${resource_arns}
+ }
+ ]
+}
diff --git a/modules/webhook/policies/lambda-ssm.json b/modules/webhook/policies/lambda-ssm.json
index 23864db305..9e33d1ca0a 100644
--- a/modules/webhook/policies/lambda-ssm.json
+++ b/modules/webhook/policies/lambda-ssm.json
@@ -4,10 +4,7 @@
{
"Effect": "Allow",
"Action": ["ssm:GetParameter"],
- "Resource": [
- "${github_app_webhook_secret_arn}",
- "${parameter_runner_matcher_config_arn}"
- ]
+ "Resource": ${resource_arns}
}
]
}
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
index f427fa3412..182f42053c 100644
--- a/modules/webhook/variables.tf
+++ b/modules/webhook/variables.tf
@@ -210,3 +210,16 @@ variable "matcher_config_parameter_store_tier" {
error_message = "`matcher_config_parameter_store_tier` value is not valid, valid values are: `Standard`, and `Advanced`."
}
}
+
+variable "eventbridge" {
+ description = < v if v != null
- }
- }
-
- dynamic "vpc_config" {
- for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
- content {
- security_group_ids = var.lambda_security_group_ids
- subnet_ids = var.lambda_subnet_ids
- }
- }
-
- tags = merge(var.tags, var.lambda_tags)
-
- dynamic "tracing_config" {
- for_each = var.tracing_config.mode != null ? [true] : []
- content {
- mode = var.tracing_config.mode
- }
- }
- lifecycle {
- replace_triggered_by = [aws_ssm_parameter.runner_matcher_config, null_resource.github_app_parameters]
- }
-}
-
-resource "aws_cloudwatch_log_group" "webhook" {
- name = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
- retention_in_days = var.logging_retention_in_days
- kms_key_id = var.logging_kms_key_id
- tags = var.tags
-}
-
-resource "aws_lambda_permission" "webhook" {
- statement_id = "AllowExecutionFromAPIGateway"
- action = "lambda:InvokeFunction"
- function_name = aws_lambda_function.webhook.function_name
- principal = "apigateway.amazonaws.com"
- source_arn = "${aws_apigatewayv2_api.webhook.execution_arn}/*/*/${local.webhook_endpoint}"
- lifecycle {
- replace_triggered_by = [aws_ssm_parameter.runner_matcher_config, null_resource.github_app_parameters]
- }
+resource "aws_ssm_parameter" "runner_matcher_config" {
+ name = "${var.ssm_paths.root}/${var.ssm_paths.webhook}/runner-matcher-config"
+ type = "String"
+ value = jsonencode(local.runner_matcher_config_sorted)
+ tier = var.matcher_config_parameter_store_tier
}
-resource "null_resource" "github_app_parameters" {
- triggers = {
- github_app_webhook_secret = var.github_app_parameters.webhook_secret.name
+module "direct" {
+ count = var.eventbridge.enable ? 0 : 1
+ source = "./direct"
+
+ config = {
+ lambda_subnet_ids = var.lambda_subnet_ids,
+ lambda_security_group_ids = var.lambda_security_group_ids,
+ prefix = var.prefix,
+ tags = var.tags,
+ runner_matcher_config = var.runner_matcher_config,
+ sqs_job_queues_arns = [for k, v in var.runner_matcher_config : v.arn]
+ sqs_workflow_job_queue = var.sqs_workflow_job_queue,
+ lambda_zip = var.lambda_zip,
+ lambda_memory_size = var.lambda_memory_size,
+ lambda_timeout = var.lambda_timeout,
+ role_permissions_boundary = var.role_permissions_boundary,
+ role_path = local.role_path,
+ logging_retention_in_days = var.logging_retention_in_days,
+ logging_kms_key_id = var.logging_kms_key_id,
+ lambda_s3_bucket = var.lambda_s3_bucket,
+ lambda_s3_key = var.webhook_lambda_s3_key,
+ lambda_s3_object_version = var.webhook_lambda_s3_object_version,
+ lambda_apigateway_access_log_settings = var.webhook_lambda_apigateway_access_log_settings,
+ repository_white_list = var.repository_white_list,
+ kms_key_arn = var.kms_key_arn,
+ log_level = var.log_level,
+ lambda_runtime = var.lambda_runtime,
+ aws_partition = var.aws_partition,
+ lambda_architecture = var.lambda_architecture,
+ github_app_parameters = var.github_app_parameters,
+ tracing_config = var.tracing_config,
+ lambda_tags = var.lambda_tags,
+ matcher_config_parameter_store_tier = var.matcher_config_parameter_store_tier,
+ api_gw_source_arn = "${aws_apigatewayv2_api.webhook.execution_arn}/*/*/${local.webhook_endpoint}"
+ ssm_parameter_runner_matcher_config = aws_ssm_parameter.runner_matcher_config
}
}
-data "aws_iam_policy_document" "lambda_assume_role_policy" {
- statement {
- actions = ["sts:AssumeRole"]
-
- principals {
- type = "Service"
- identifiers = ["lambda.amazonaws.com"]
- }
+module "eventbridge" {
+ count = var.eventbridge.enable ? 1 : 0
+ source = "./eventbridge"
+
+ config = {
+ lambda_subnet_ids = var.lambda_subnet_ids,
+ lambda_security_group_ids = var.lambda_security_group_ids,
+ prefix = var.prefix,
+ tags = var.tags,
+ sqs_job_queues_arns = [for k, v in var.runner_matcher_config : v.arn]
+ sqs_workflow_job_queue = var.sqs_workflow_job_queue,
+ lambda_zip = var.lambda_zip,
+ lambda_memory_size = var.lambda_memory_size,
+ lambda_timeout = var.lambda_timeout,
+ role_permissions_boundary = var.role_permissions_boundary,
+ role_path = local.role_path,
+ logging_retention_in_days = var.logging_retention_in_days,
+ logging_kms_key_id = var.logging_kms_key_id,
+ lambda_s3_bucket = var.lambda_s3_bucket,
+ lambda_s3_key = var.webhook_lambda_s3_key,
+ lambda_s3_object_version = var.webhook_lambda_s3_object_version,
+ lambda_apigateway_access_log_settings = var.webhook_lambda_apigateway_access_log_settings,
+ repository_white_list = var.repository_white_list,
+ kms_key_arn = var.kms_key_arn,
+ log_level = var.log_level,
+ lambda_runtime = var.lambda_runtime,
+ aws_partition = var.aws_partition,
+ lambda_architecture = var.lambda_architecture,
+ github_app_parameters = var.github_app_parameters,
+ tracing_config = var.tracing_config,
+ lambda_tags = var.lambda_tags,
+ api_gw_source_arn = "${aws_apigatewayv2_api.webhook.execution_arn}/*/*/${local.webhook_endpoint}"
+ ssm_parameter_runner_matcher_config = aws_ssm_parameter.runner_matcher_config
+ accept_events = var.eventbridge.accept_events
}
-}
-
-resource "aws_iam_role" "webhook_lambda" {
- name = "${var.prefix}-action-webhook-lambda-role"
- assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
- path = local.role_path
- permissions_boundary = var.role_permissions_boundary
- tags = var.tags
-}
-
-resource "aws_iam_role_policy" "webhook_logging" {
- name = "logging-policy"
- role = aws_iam_role.webhook_lambda.name
- policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
- log_group_arn = aws_cloudwatch_log_group.webhook.arn
- })
-}
-
-resource "aws_iam_role_policy_attachment" "webhook_vpc_execution_role" {
- count = length(var.lambda_subnet_ids) > 0 ? 1 : 0
- role = aws_iam_role.webhook_lambda.name
- policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
-}
-
-resource "aws_iam_role_policy" "webhook_sqs" {
- name = "publish-sqs-policy"
- role = aws_iam_role.webhook_lambda.name
-
- policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
- sqs_resource_arns = jsonencode([for k, v in var.runner_matcher_config : v.arn])
- kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : ""
- })
-}
-
-resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
- count = var.sqs_workflow_job_queue != null ? 1 : 0
- name = "publish-workflow-job-sqs-policy"
- role = aws_iam_role.webhook_lambda.name
-
- policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
- sqs_resource_arns = jsonencode([var.sqs_workflow_job_queue.arn])
- kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : ""
- })
-}
-
-resource "aws_iam_role_policy" "webhook_ssm" {
- name = "publish-ssm-policy"
- role = aws_iam_role.webhook_lambda.name
-
- policy = templatefile("${path.module}/policies/lambda-ssm.json", {
- github_app_webhook_secret_arn = var.github_app_parameters.webhook_secret.arn,
- parameter_runner_matcher_config_arn = aws_ssm_parameter.runner_matcher_config.arn
- })
-}
-resource "aws_iam_role_policy" "xray" {
- count = var.tracing_config.mode != null ? 1 : 0
- name = "xray-policy"
- policy = data.aws_iam_policy_document.lambda_xray[0].json
- role = aws_iam_role.webhook_lambda.name
}
diff --git a/outputs.tf b/outputs.tf
index 2bc58caa20..ce49e8927c 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -37,6 +37,9 @@ output "webhook" {
lambda_log_group = module.webhook.lambda_log_group
lambda_role = module.webhook.role
endpoint = "${module.webhook.gateway.api_endpoint}/${module.webhook.endpoint_relative_path}"
+ webhook = module.webhook.webhook
+ dispatcher = var.eventbridge.enable ? module.webhook.dispatcher : null
+ eventbridge = var.eventbridge.enable ? module.webhook.eventbridge : null
}
}
diff --git a/variables.tf b/variables.tf
index 0eccb5a3c0..86535107af 100644
--- a/variables.tf
+++ b/variables.tf
@@ -724,7 +724,7 @@ variable "lambda_architecture" {
}
variable "enable_workflow_job_events_queue" {
- description = "Enabling this experimental feature will create a secondory sqs queue to which a copy of the workflow_job event will be delivered."
+ description = "Enabling this experimental feature will create a secondary SQS queue to which a copy of the workflow_job event will be delivered."
type = bool
default = false
}
@@ -944,3 +944,19 @@ variable "job_retry" {
})
default = {}
}
+
+
+variable "eventbridge" {
+ description = <