From baefb539ba02220493c4c83a76c070fac84d52bf Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Fri, 1 Oct 2021 13:08:03 +0200 Subject: [PATCH] fix: remove unused app client since SSH key is used to secure app authorization --- README.md | 27 ++++++++++---- examples/default/main.tf | 13 ++++--- examples/ubuntu/main.tf | 2 -- main.tf | 6 ++-- modules/runners/README.md | 29 +++++++++++++-- .../runners/src/scale-runners/gh-auth.test.ts | 36 ++----------------- .../runners/src/scale-runners/gh-auth.ts | 2 -- .../runners/policies/lambda-scale-down.json | 2 -- modules/runners/policies/lambda-scale-up.json | 2 -- modules/runners/scale-down.tf | 26 ++++++-------- modules/runners/scale-up.tf | 36 +++++++++---------- modules/runners/variables.tf | 6 ++-- modules/ssm/outputs.tf | 8 ----- modules/ssm/ssm.tf | 16 --------- modules/ssm/variables.tf | 2 -- variables.tf | 2 -- 16 files changed, 89 insertions(+), 126 deletions(-) diff --git a/README.md b/README.md index 24a1acbbc5..87d7a23dfe 100644 --- a/README.md +++ b/README.md @@ -129,8 +129,7 @@ Go to GitHub and [create a new app](https://docs.github.com/en/developers/apps/c - `Self-hosted runners`: Read & write (to register runner) 8. Save the new app. 9. On the General page, make a note of the "App ID" and "Client ID" parameters. -10. Create a new client secret and also write it down. -11. Generate a new private key and save the `app.private-key.pem` file. +10. Generate a new private key and save the `app.private-key.pem` file. ### Setup terraform module @@ -174,8 +173,6 @@ module "github-runner" { github_app = { key_base64 = "base64string" id = "1" - client_id = "c-123" - client_secret = "client_secret" webhook_secret = "webhook_secret" } @@ -343,6 +340,23 @@ No requirements. | aws | n/a | | random | n/a | +## Modules + +| Name | Source | Version | +|------|--------|---------| +| runner_binaries | ./modules/runner-binaries-syncer | | +| runners | ./modules/runners | | +| ssm | ./modules/ssm | | +| webhook | ./modules/webhook | | + +## Resources + +| Name | +|------| +| [aws_resourcegroups_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | +| [aws_sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | +| [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | + ## Inputs | Name | Description | Type | Default | Required | @@ -358,9 +372,9 @@ No requirements. | enable\_organization\_runners | Register runners to organization, instead of repo level | `bool` | `false` | no | | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | `false` | no | | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | +| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | ghes\_url | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | -| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to `false` when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | -| github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | 
object({
    key_base64     = string
    id             = string
    client_id      = string
    client_secret  = string
    webhook_secret = string
  })
| n/a | yes | +| github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | 
object({
    key_base64     = string
    id             = string
    webhook_secret = string
  })
| n/a | yes | | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | 
list(object({
    cron      = string
    timeZone  = string
    idleCount = number
  }))
| `[]` | no | | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | | instance\_type | [DEPRECATED] See instance\_types. | `string` | `"m5.large"` | no | @@ -416,7 +430,6 @@ No requirements. | runners | n/a | | ssm\_parameters | n/a | | webhook | n/a | - ## Contribution diff --git a/examples/default/main.tf b/examples/default/main.tf index ae3ec2c2ba..126aea0dd4 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -27,8 +27,6 @@ module "runners" { github_app = { key_base64 = var.github_app_key_base64 id = var.github_app_id - client_id = var.github_app_client_id - client_secret = var.github_app_client_secret webhook_secret = random_password.random.result } @@ -48,9 +46,14 @@ module "runners" { # idleCount = 1 # }] - # disable KMS and encryption - # encrypt_secrets = false - # Let the module manage the service linked role # create_service_linked_role_spot = true + + instance_types = ["m5.large", "c5.large"] + + # override delay of events in seconds + delay_webhook_event = 5 + + # override scaling down + scale_down_schedule_expression = "cron(* * * * ? *)" } diff --git a/examples/ubuntu/main.tf b/examples/ubuntu/main.tf index 60c397eb26..6cadee69d4 100644 --- a/examples/ubuntu/main.tf +++ b/examples/ubuntu/main.tf @@ -22,8 +22,6 @@ module "runners" { github_app = { key_base64 = var.github_app_key_base64 id = var.github_app_id - client_id = var.github_app_client_id - client_secret = var.github_app_client_secret webhook_secret = random_password.random.result } diff --git a/main.tf b/main.tf index 3745dc3a27..9058062fce 100644 --- a/main.tf +++ b/main.tf @@ -9,10 +9,8 @@ locals { ami_filter = length(var.ami_filter) > 0 ? var.ami_filter : local.runner_architecture == "arm64" ? { name = ["amzn2-ami-hvm-2*-arm64-gp2"] } : { name = ["amzn2-ami-hvm-2.*-x86_64-ebs"] } github_app_parameters = { - client_id = module.ssm.parameters.github_app_client_id - client_secret = module.ssm.parameters.github_app_client_secret - id = module.ssm.parameters.github_app_id - key_base64 = module.ssm.parameters.github_app_key_base64 + id = module.ssm.parameters.github_app_id + key_base64 = module.ssm.parameters.github_app_key_base64 } } diff --git a/modules/runners/README.md b/modules/runners/README.md index 752ca37093..f27097c81f 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -58,6 +58,31 @@ No requirements. |------|---------| | aws | n/a | +## Modules + +No Modules. + +## Resources + +| Name | +|------| +| [aws_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | +| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | +| [aws_cloudwatch_event_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | +| [aws_cloudwatch_event_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | +| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | +| [aws_iam_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | +| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | +| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | +| [aws_iam_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | +| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | +| [aws_lambda_event_source_mapping](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | +| [aws_lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | +| [aws_lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | +| [aws_launch_template](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | +| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | +| [aws_ssm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | + ## Inputs | Name | Description | Type | Default | Required | @@ -73,8 +98,9 @@ No requirements. | enable\_organization\_runners | n/a | `bool` | n/a | yes | | enable\_ssm\_on\_runners | Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes | | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes | +| ghes\_ssl\_verify | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no | | ghes\_url | GitHub Enterprise Server URL. DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no | -| github\_app\_parameters | Parameter Store for GitHub App Parameters. | 
object({
    key_base64    = map(string)
    id            = map(string)
    client_id     = map(string)
    client_secret = map(string)
  })
| n/a | yes | +| github\_app\_parameters | Parameter Store for GitHub App Parameters. | 
object({
    key_base64 = map(string)
    id         = map(string)
  })
| n/a | yes | | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | 
list(object({
    cron      = string
    timeZone  = string
    idleCount = number
  }))
| `[]` | no | | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no | | instance\_type | [DEPRECATED] See instance\_types. | `string` | `"m5.large"` | no | @@ -126,7 +152,6 @@ No requirements. | role\_runner | n/a | | role\_scale\_down | n/a | | role\_scale\_up | n/a | - ## Philips Forest diff --git a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts index 86ab1b6c08..34af3abce5 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts @@ -16,12 +16,8 @@ jest.mock('@octokit/auth-app'); const cleanEnv = process.env; const ENVIRONMENT = 'dev'; const GITHUB_APP_ID = '1'; -const GITHUB_APP_CLIENT_ID = '1'; -const GITHUB_APP_CLIENT_SECRET = 'client_secret'; const PARAMETER_GITHUB_APP_ID_NAME = `/actions-runner/${ENVIRONMENT}/github_app_id`; const PARAMETER_GITHUB_APP_KEY_BASE64_NAME = `/actions-runner/${ENVIRONMENT}/github_app_key_base64`; -const PARAMETER_GITHUB_APP_CLIENT_ID_NAME = `/actions-runner/${ENVIRONMENT}/github_app_client_id`; -const PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = `/actions-runner/${ENVIRONMENT}/github_app_client_secret`; const mockedGet = mocked(getParameterValue); @@ -31,8 +27,6 @@ beforeEach(() => { process.env = { ...cleanEnv }; process.env.PARAMETER_GITHUB_APP_ID_NAME = PARAMETER_GITHUB_APP_ID_NAME; process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME = PARAMETER_GITHUB_APP_KEY_BASE64_NAME; - process.env.PARAMETER_GITHUB_APP_CLIENT_ID_NAME = PARAMETER_GITHUB_APP_CLIENT_ID_NAME; - process.env.PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME; nock.disableNetConnect(); }); @@ -83,14 +77,8 @@ describe('Test createGithubAppAuth', () => { appId: parseInt(GITHUB_APP_ID), privateKey: decryptedValue, installationId, - clientId: GITHUB_APP_CLIENT_ID, - clientSecret: GITHUB_APP_CLIENT_SECRET, }; - mockedGet - .mockResolvedValueOnce(GITHUB_APP_ID) - .mockResolvedValueOnce(b64) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET); + mockedGet.mockResolvedValueOnce(GITHUB_APP_ID).mockResolvedValueOnce(b64); const mockedAuth = jest.fn(); mockedAuth.mockResolvedValue({ token }); @@ -104,8 +92,6 @@ describe('Test createGithubAppAuth', () => { // Assert expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME); expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME); expect(mockedCreatAppAuth).toBeCalledTimes(1); expect(mockedCreatAppAuth).toBeCalledWith(authOptions); @@ -126,16 +112,10 @@ describe('Test createGithubAppAuth', () => { appId: parseInt(GITHUB_APP_ID), privateKey: decryptedValue, installationId, - clientId: GITHUB_APP_CLIENT_ID, - clientSecret: GITHUB_APP_CLIENT_SECRET, request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }), }; - mockedGet - .mockResolvedValueOnce(GITHUB_APP_ID) - .mockResolvedValueOnce(b64) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET); + mockedGet.mockResolvedValueOnce(GITHUB_APP_ID).mockResolvedValueOnce(b64); const mockedAuth = jest.fn(); mockedAuth.mockResolvedValue({ token }); // eslint-disable-next-line @typescript-eslint/no-unused-vars @@ -149,8 +129,6 @@ describe('Test createGithubAppAuth', () => { // Assert expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME); expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME); expect(mockedCreatAppAuth).toBeCalledTimes(1); expect(mockedCreatAppAuth).toBeCalledWith(authOptions); @@ -172,16 +150,10 @@ describe('Test createGithubAppAuth', () => { const authOptions = { appId: parseInt(GITHUB_APP_ID), privateKey: decryptedValue, - clientId: GITHUB_APP_CLIENT_ID, - clientSecret: GITHUB_APP_CLIENT_SECRET, request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }), }; - mockedGet - .mockResolvedValueOnce(GITHUB_APP_ID) - .mockResolvedValueOnce(b64) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID) - .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET); + mockedGet.mockResolvedValueOnce(GITHUB_APP_ID).mockResolvedValueOnce(b64); const mockedAuth = jest.fn(); mockedAuth.mockResolvedValue({ token }); mockedCreatAppAuth.mockImplementation(() => { @@ -194,8 +166,6 @@ describe('Test createGithubAppAuth', () => { // Assert expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME); expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME); - expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME); expect(mockedCreatAppAuth).toBeCalledTimes(1); expect(mockedCreatAppAuth).toBeCalledWith(authOptions); diff --git a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts index cda6e5d3ab..18f040468b 100644 --- a/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts +++ b/modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts @@ -49,8 +49,6 @@ async function createAuth(installationId: number | undefined, ghesApiUrl: string await getParameterValue(process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME), 'base64', ).toString(), - clientId: await getParameterValue(process.env.PARAMETER_GITHUB_APP_CLIENT_ID_NAME), - clientSecret: await getParameterValue(process.env.PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME), }; if (installationId) authOptions = { ...authOptions, installationId }; diff --git a/modules/runners/policies/lambda-scale-down.json b/modules/runners/policies/lambda-scale-down.json index b201de9356..c63d54741f 100644 --- a/modules/runners/policies/lambda-scale-down.json +++ b/modules/runners/policies/lambda-scale-down.json @@ -32,8 +32,6 @@ ], "Resource": [ "${github_app_key_base64_arn}", - "${github_app_client_secret_arn}", - "${github_app_client_id_arn}", "${github_app_id_arn}" ] %{ if kms_key_arn != "" ~} diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json index 8ff4b2469f..057bb77068 100644 --- a/modules/runners/policies/lambda-scale-up.json +++ b/modules/runners/policies/lambda-scale-up.json @@ -45,8 +45,6 @@ ], "Resource": [ "${github_app_key_base64_arn}", - "${github_app_client_secret_arn}", - "${github_app_client_id_arn}", "${github_app_id_arn}" ] }, diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index 406abe5d6f..25b3439a5d 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -13,16 +13,14 @@ resource "aws_lambda_function" "scale_down" { environment { variables = { - ENVIRONMENT = var.environment - MINIMUM_RUNNING_TIME_IN_MINUTES = var.minimum_running_time_in_minutes - RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes - SCALE_DOWN_CONFIG = jsonencode(var.idle_config) - GHES_URL = var.ghes_url - NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 - PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name - PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name - PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name - PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name + ENVIRONMENT = var.environment + MINIMUM_RUNNING_TIME_IN_MINUTES = var.minimum_running_time_in_minutes + RUNNER_BOOT_TIME_IN_MINUTES = var.runner_boot_time_in_minutes + SCALE_DOWN_CONFIG = jsonencode(var.idle_config) + GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 + PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name + PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name } } @@ -72,11 +70,9 @@ resource "aws_iam_role_policy" "scale_down" { name = "${var.environment}-lambda-scale-down-policy" role = aws_iam_role.scale_down.name policy = templatefile("${path.module}/policies/lambda-scale-down.json", { - github_app_client_id_arn = var.github_app_parameters.client_id.arn - github_app_client_secret_arn = var.github_app_parameters.client_secret.arn - github_app_id_arn = var.github_app_parameters.id.arn - github_app_key_base64_arn = var.github_app_parameters.key_base64.arn - kms_key_arn = local.kms_key_arn + github_app_id_arn = var.github_app_parameters.id.arn + github_app_key_base64_arn = var.github_app_parameters.key_base64.arn + kms_key_arn = local.kms_key_arn }) } diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index 435294e29b..b878bf55ba 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -14,19 +14,17 @@ resource "aws_lambda_function" "scale_up" { environment { variables = { - ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners - ENVIRONMENT = var.environment - GHES_URL = var.ghes_url - NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 - RUNNER_EXTRA_LABELS = var.runner_extra_labels - RUNNER_GROUP_NAME = var.runner_group_name - RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count - LAUNCH_TEMPLATE_NAME = join(",", [for template in aws_launch_template.runner : template.name]) - SUBNET_IDS = join(",", var.subnet_ids) - PARAMETER_GITHUB_APP_CLIENT_ID_NAME = var.github_app_parameters.client_id.name - PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = var.github_app_parameters.client_secret.name - PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name - PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name + ENABLE_ORGANIZATION_RUNNERS = var.enable_organization_runners + ENVIRONMENT = var.environment + GHES_URL = var.ghes_url + NODE_TLS_REJECT_UNAUTHORIZED = var.ghes_url != null && ! var.ghes_ssl_verify ? 0 : 1 + RUNNER_EXTRA_LABELS = var.runner_extra_labels + RUNNER_GROUP_NAME = var.runner_group_name + RUNNERS_MAXIMUM_COUNT = var.runners_maximum_count + LAUNCH_TEMPLATE_NAME = join(",", [for template in aws_launch_template.runner : template.name]) + SUBNET_IDS = join(",", var.subnet_ids) + PARAMETER_GITHUB_APP_ID_NAME = var.github_app_parameters.id.name + PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name } } @@ -70,13 +68,11 @@ resource "aws_iam_role_policy" "scale_up" { name = "${var.environment}-lambda-scale-up-policy" role = aws_iam_role.scale_up.name policy = templatefile("${path.module}/policies/lambda-scale-up.json", { - arn_runner_instance_role = aws_iam_role.runner.arn - sqs_arn = var.sqs_build_queue.arn - github_app_client_id_arn = var.github_app_parameters.client_id.arn - github_app_client_secret_arn = var.github_app_parameters.client_secret.arn - github_app_id_arn = var.github_app_parameters.id.arn - github_app_key_base64_arn = var.github_app_parameters.key_base64.arn - kms_key_arn = local.kms_key_arn + arn_runner_instance_role = aws_iam_role.runner.arn + sqs_arn = var.sqs_build_queue.arn + github_app_id_arn = var.github_app_parameters.id.arn + github_app_key_base64_arn = var.github_app_parameters.key_base64.arn + kms_key_arn = local.kms_key_arn }) } diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf index aaf10d449b..ba8fcbd5ec 100644 --- a/modules/runners/variables.tf +++ b/modules/runners/variables.tf @@ -116,10 +116,8 @@ variable "enable_organization_runners" { variable "github_app_parameters" { description = "Parameter Store for GitHub App Parameters." type = object({ - key_base64 = map(string) - id = map(string) - client_id = map(string) - client_secret = map(string) + key_base64 = map(string) + id = map(string) }) } diff --git a/modules/ssm/outputs.tf b/modules/ssm/outputs.tf index 7a61c60202..3545a839c3 100644 --- a/modules/ssm/outputs.tf +++ b/modules/ssm/outputs.tf @@ -1,13 +1,5 @@ output "parameters" { value = { - github_app_client_id = { - name = aws_ssm_parameter.github_app_client_id.name - arn = aws_ssm_parameter.github_app_client_id.arn - } - github_app_client_secret = { - name = aws_ssm_parameter.github_app_client_secret.name - arn = aws_ssm_parameter.github_app_client_secret.arn - } github_app_id = { name = aws_ssm_parameter.github_app_id.name arn = aws_ssm_parameter.github_app_id.arn diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf index 3605bb4833..91f1d17cdf 100644 --- a/modules/ssm/ssm.tf +++ b/modules/ssm/ssm.tf @@ -1,19 +1,3 @@ -resource "aws_ssm_parameter" "github_app_client_id" { - name = "/actions_runner/${var.environment}/github_app_client_id" - type = "SecureString" - value = var.github_app.client_id - key_id = local.kms_key_arn - tags = var.tags -} - -resource "aws_ssm_parameter" "github_app_client_secret" { - name = "/actions_runner/${var.environment}/github_app_client_secret" - type = "SecureString" - value = var.github_app.client_secret - key_id = local.kms_key_arn - tags = var.tags -} - resource "aws_ssm_parameter" "github_app_id" { name = "/actions_runner/${var.environment}/github_app_id" type = "SecureString" diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf index 6cb03951c0..7528d0721c 100644 --- a/modules/ssm/variables.tf +++ b/modules/ssm/variables.tf @@ -3,8 +3,6 @@ variable "github_app" { type = object({ key_base64 = string id = string - client_id = string - client_secret = string webhook_secret = string }) } diff --git a/variables.tf b/variables.tf index 2a9b831be2..172257fdcc 100644 --- a/variables.tf +++ b/variables.tf @@ -35,8 +35,6 @@ variable "github_app" { type = object({ key_base64 = string id = string - client_id = string - client_secret = string webhook_secret = string }) }