Move Lambda Vars to Parameter Store

[mcaulifn]

With the addition of #898 , the environment variable size for the scale-up lambda could exceed the 4kb size limit. This reduces the size by moving variables to Parameter Store as SecureStrings. Custom CMK can still be used for encrypting variables in the paramater store (ssm).

• Moves GitHub auth variables to Parameter Store
• Removes KMS from runners and webhook submodule
• Fixes outstanding lint

Fixes #587

Mirgration Directions

When using a CMK by setting the variable kms_key_id, a small update is required. Replace this variable by the ARN of the CMK by setting kms_key_arn.

[mcaulifn]

@npalm Got another one for you 🚀

[npalm]

@mcaulifn short update, planned to check your PR this afternoon

[npalm]

@mcaulifn thanks for taking the time to contribute to this module!!! I have a few somments. The change is not working at the moment since some policies to retrieve the parameters from SSM by the Lambda are missing.

[npalm]

Can you add the attibute key_id with no default null, not sure if that will work. This still give the users of the module to use their own keys (CMK) instead of amazon provided. Same comments for other SSM parameters.

[mcaulifn]

Added kms_key_id back in. There is no option to not encrypt though.

[npalm]

The naming pattern you use here does not match policy set to the runner which allows to get parameters named like "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${var.environment}-*". So testing the setup results in an erros once the lambda tries to get the parameter

ERROR	AccessDeniedException: User: arn:aws:sts::123456789:assumed-role/default-action-scale-up-lambda-role/default-scale-up is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-west-1:123456789:parameter/actions_runner/default/github_app_id

Seems policies for the scale up / down lambda needs to be adjusted.

The paramater in SSM that is used to create the runner is expecting environment-instanceId in the name. Changing this is not an option since users of the module that build there own user_data script releies on this name, aka the name.

[mcaulifn]

I will add it to the policy. Not looking to change the existing pattern.

[npalm]

Having a second thougt, this change grants the runner instance role to read any parameter in SSM. The runner should only able to read the token generated for the instance. So suggest we only grant the runner access to environment-*. I will refactor this later in even a more clear path that only gives access to this token. We should avoid that a process in the runner could call the aws api and fetch the token to start acting as the app.

With updating this policy you change only the policies attached to runner. I think it is better to create a new template, for example lambda-ssm-parameter-policies.json. Which you grant read access to the pramaters in the path environment/github_app/* So it clear that the lambda can act on behalf of the app.

[mcaulifn]

Sounds good. I'll draft up something a bit more limiting.

[mcaulifn]

Looks like there is already a lambda policy template that has SSM permissions.

[mcaulifn]

@npalm I still need to deploy this in test. Hoping today or Tuesday.

[npalm]

@npalm I still need to deploy this in test. Hoping today or Tuesday.

Take your time, I have no option to check a deployment before Tuesday. Great work!

[npalm]

Ready to check?

[npalm]

thanks, will test asap

[npalm]

Great work so far. I have tested a basic upgrade.

• Scaling up works fine with an AWS manabed key.
• Scaling down looks broken. I got a message like: Orphan runner 'i-123' cannot be removed.

  terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/scale-down.ts

  Line 184 in 68635dd

  if (orphanEc2Runner) {

  So this means the runner was removed in an earlier scale down attempt. Runner is removed from github but instance still running in AWS. most likely a permission issue.
• Not tested the CMK yet. but will fail since there is no permission to decrypt.
• Are you aware that also the webhook is using KMS to store the github app secret?
• Right now by default the standard SSM policy is attached to the runner, this grant access to all SSM parameters. Looks like we have to see how we can make this stricter

[npalm]

Please can you define the policy_x.json file to define the policy. Load the policies with templatefile. We have choosen this approach so we can use the standard json notation of aws policies

[mcaulifn]

Moving this to a policy file may make the CMK permissions more complicated. I'll play around with it.

[npalm]

Let me know if you need a couple of complex examples for inspiraction.

[npalm]

In general the policy looks good, and works for a AWS managed key. But once using a CMK also the decrypt action for the key should be granted to the lambda., see also .https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html.

[mcaulifn]

Good catch - will add this to the policy.

[npalm]

Please can you revert back to the templatefile?

[mcaulifn]

Are you aware that also the webhook is using KMS to store the github app secret?

Did you want me to do that in a separate PR or this PR?

Right now by default the standard SSM policy is attached to the runner, this grant access to all SSM parameters. Looks like we have to see how we can make this stricter

The policy limits to those parameters prefaced with ${var.environment}-*. The new parameters are /actions_runner/${var.environment}/github_blah. I don't think there will be unnecessary permissions for the runners here.

[npalm]

Are you aware that also the webhook is using KMS to store the github app secret?

Did you want me to do that in a separate PR or this PR?

Right now by default the standard SSM policy is attached to the runner, this grant access to all SSM parameters. Looks like we have to see how we can make this stricter

The policy limits to those parameters prefaced with ${var.environment}-*. The new parameters are /actions_runner/${var.environment}/github_blah. I don't think there will be unnecessary permissions for the runners here.

• Since we trying to remove KMS in this PR, I prefer to remove the webhook as well. So would prefer al in one PR.
• And the moment the user enabled ssm

  terraform-aws-github-runner/modules/runners/policies-runner.tf

  Line 17 in 68635dd

  resource "aws_iam_role_policy_attachment" "runner_session_manager_aws_managed" {

  the attaced policy grant access to all parameters. This we can address in a seprate PR. But think the scope of the standard policy it so wide.

[mcaulifn]

I think I got all the changes. I tested with and without a CMK defined.

[npalm]

I think I got all the changes. I tested with and without a CMK defined.

Thanks, sorry for the late response, will do my best to check the PR in the next days

[npalm]

Test default example including upgrade (withou CMK). All works like a charm.

[npalm]

@mcaulifn thanks for all the hard work. I think your change is the way forward but find some issues that I would like to addres or need at least a bit more of thinking.

SSM parameters

The new introduced paramaters are defined on root level of the runner. And the lambda's are doing a looking up based on convention. The whole module is designed in such way that it is also possible to use the sub modules complete seperate. When users of the module are using the module via the submodules, they also are required to create the SSM parameters as weel. Same holds for the SQS queue. What we could do is move the parameters to a submodule to do the constuction work

Removal of CMK

Currently the runner is managoing by default a CMK. For this change we have to update the README as well.

Migrations paths

No migration is required which I really like. But I have tested several ipdates. Swapping between runner managed key (aws default) and CMK creates some raise conditon. SSM parameters are not correctly updated. I have made some changes to ssm..tf

locals {
  default_key_ssm = "alias/aws/ssm"
}

resource "aws_ssm_parameter" "github_app_client_id" {
  name   = "/actions_runner/${var.environment}/github_app_client_id"
  type   = "SecureString"
  value  = var.github_app.client_id
  key_id = var.kms_key_id == null ? local.default_key_ssm : var.kms_key_id
}

# Same for the orther resources

With this changes SSM parameters are correctly stored.

SSM sessions

I will create a seperate PR for decreasing the privileges to the runner instances for SSM sessions.

Would be great if you can make some time to chck my remakrts. Oterwise I can merge the PR to a branch and fix the left overs in next week. Please let me know what you preferences is.

[mcaulifn]

@npalm I'll get these sorted tomorrow.

I'm curious about the migrations though. I had migrated between no key and key and didn't have any issues so I'm surprised you did.

[npalm]

@npalm I'll get these sorted tomorrow.

I'm curious about the migrations though. I had migrated between no key and key and didn't have any issues so I'm surprised you did.

Problem occurs when moving back to no key. Once looking up the resources in SSM the key was still there. Therefore I added explicit the aws alias key for SSM. And set the parameter overwrite to true

[mcaulifn]

Deployed to test using CMK. @npalm Should be good to go

[npalm]

Just 2 small findings Great work!

[mcaulifn]

@npalm Deployed using CMK then migrated to default key.

[npalm]

LGTM, will test asap. So summarising: users using the module should update their config with the cmk arn instead of the id.

[npalm]

Will do a bit more testing before merging. But expect no required changes

[npalm]

@mcaulifn thanks for all the refactoring work!

[dimisjim]

Hey there,

so basically after these changes, there is no longer the option to have the secrets not encrypted?

[mcaulifn]

@dimisjim Yes, that is correct.