-
Notifications
You must be signed in to change notification settings - Fork 628
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move Lambda Vars to Parameter Store #941
Merged
Merged
Changes from 1 commit
Commits
Show all changes
36 commits
Select commit
Hold shift + click to select a range
736a854
fix(scale): Refactor Runner Type and Owner (#871)
mcaulifn 6e35845
feat: support multiple instance types (#898)
mcaulifn a768687
docs: fix lambda_security_group_ids incorrect description #738 (#902)
npalm 5b5ee3b
fix: scale down runners (#905)
npalm 8746249
chore: group upgrade lambda dependencies (#906)
npalm 7bda880
feat(runner): Move Lambda Vars to Parameter Store
mcaulifn 333eae7
Add test for ssm module (#1)
mcaulifn 65535fb
Removing KMS/GH Auth from scale-down
mcaulifn b460a1a
Merge branch 'mcaulifn/ssm' of https://github.com/mcaulifn/terraform-…
mcaulifn aecc383
Add SSM permissions to runner policy
mcaulifn c84ae6c
Allow custom key_id
mcaulifn d2b61f1
Fixing for loop
mcaulifn 8f34d71
Move SSM policy to Lambdas
mcaulifn 7d44ac8
Fixing function call
mcaulifn 66bd078
chore: Bump aws-sdk (#752) (#909)
dependabot[bot] 77c8e13
chore: Bump aws-sdk (#752) (#908)
dependabot[bot] fe0a126
chore: Bump aws-sdk (#752) (#887)
dependabot[bot] 174b4ca
chore: Bump aws-sdk (#752) (#885)
dependabot[bot] 0f1493f
chore: Bump aws-sdk (#752) (#889)
dependabot[bot] 5314469
chore: Bump aws-sdk (#752) (#892)
dependabot[bot] 640ef5f
chore: Bump aws-sdk (#752) (#907)
dependabot[bot] 1658635
chore: Bump aws-sdk (#752) (#864)
dependabot[bot] a401c0d
chore: Bump eslint in /modules/webhook/lambdas/webhook (#918)
dependabot[bot] 870280b
chore: Bump typescript (#929)
dependabot[bot] 0fdf8cf
chore: Bump @typescript-eslint/eslint-plugin (#928)
dependabot[bot] a6b9a29
chore: Bump typescript in /modules/webhook/lambdas/webhook (#926)
dependabot[bot] b5096bb
feat: Added support for white listing of repositories (#915)
ravenolf 7ac1a25
Need `,` after list item
mcaulifn cbf7a70
Move Lambda Policy to data resource
mcaulifn d8e6fbd
Merge branch 'develop' into mcaulifn/ssm
mcaulifn d46f9e2
Merge branch 'develop' into mcaulifn/ssm
mcaulifn 0c9aff5
Addressing PR comments, fixing lint
mcaulifn 3104d34
Refactoring Parameters to SSM Module
mcaulifn 7c09270
Merge branch 'develop' into mcaulifn/ssm
mcaulifn 4ea2a17
Fixing rebase
mcaulifn 19199e3
Using only key ARN as input value
mcaulifn File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having a second thougt, this change grants the runner instance role to read any parameter in SSM. The runner should only able to read the token generated for the instance. So suggest we only grant the runner access to environment-*. I will refactor this later in even a more clear path that only gives access to this token. We should avoid that a process in the runner could call the aws api and fetch the token to start acting as the app.
With updating this policy you change only the policies attached to runner. I think it is better to create a new template, for example lambda-ssm-parameter-policies.json. Which you grant read access to the pramaters in the path environment/github_app/* So it clear that the lambda can act on behalf of the app.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good. I'll draft up something a bit more limiting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like there is already a lambda policy template that has SSM permissions.