Move Lambda Vars to Parameter Store

main.tf

@@ -60,10 +60,6 @@ module "runners" {
   subnet_ids  = var.subnet_ids
   environment = var.environment
   tags        = local.tags
-  encryption = {
-    kms_key_id = local.kms_key_id
-    encrypt    = var.encrypt_secrets
-  }
 
   s3_bucket_runner_binaries   = module.runner_binaries.bucket
   s3_location_runner_binaries = local.s3_action_runner_url
@@ -118,6 +114,8 @@ module "runners" {
   runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
 
   ghes_url = var.ghes_url
+
+  kms_key_id = var.kms_key_id
 }
 
 module "runner_binaries" {

modules/runners/README.md

@@ -76,8 +76,6 @@ No Modules.
 | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
 | [aws_iam_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) |
 | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
-| [aws_kms_ciphertext](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_ciphertext) |
-| [aws_kms_grant](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant) |
 | [aws_lambda_event_source_mapping](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) |
 | [aws_lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) |
 | [aws_lambda_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) |
@@ -98,7 +96,6 @@ No Modules.
 | enable\_cloudwatch\_agent | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
 | enable\_organization\_runners | n/a | `bool` | n/a | yes |
 | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes |
-| encryption | KMS key to encrypted lambda environment secrets. Either provide a key and `encrypt` set to `true`. Or set the key to `null` and encrypt to `false`. | <pre>object({<br>    kms_key_id = string<br>    encrypt    = bool<br>  })</pre> | n/a | yes |
 | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | ghes\_url | GitHub Enterprise Server URL. DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no |
 | github\_app | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). | <pre>object({<br>    key_base64    = string<br>    id            = string<br>    client_id     = string<br>    client_secret = string<br>  })</pre> | n/a | yes |
@@ -107,6 +104,7 @@ No Modules.
 | instance\_type | [DEPRECATED] See instance\_types. | `string` | `"m5.large"` | no |
 | instance\_types | List of instance types for the action runner. | `set(string)` | `null` | no |
 | key\_name | Key pair name | `string` | `null` | no |
+| kms\_key\_id | Optional CMK Key ID to be used for Parameter Store. | `string` | `null` | no |
 | lambda\_s3\_bucket | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `any` | `null` | no |
 | lambda\_security\_group\_ids | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
 | lambda\_subnet\_ids | List of subnets in which the lambda will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
@@ -148,6 +146,7 @@ No Modules.
 | lambda\_scale\_down | n/a |
 | lambda\_scale\_up | n/a |
 | launch\_template | n/a |
+| policy | n/a |
 | role\_runner | n/a |
 | role\_scale\_down | n/a |
 | role\_scale\_up | n/a |

modules/runners/lambdas/runners/package.json

@@ -12,7 +12,8 @@
     "build": "ncc build src/lambda.ts -o dist",
     "dist": "yarn build && cd dist && zip ../runners.zip index.js",
     "format": "prettier --write \"**/*.ts\"",
-    "format-check": "prettier --check \"**/*.ts\""
+    "format-check": "prettier --check \"**/*.ts\"",
+    "all": "yarn build && yarn format && yarn lint && yarn test"
   },
   "devDependencies": {
     "@types/aws-lambda": "^8.10.75",
@@ -22,14 +23,17 @@
     "@typescript-eslint/parser": "^4.22.0",
     "@vercel/ncc": "0.27.0",
     "eslint": "^7.22.0",
+    "eslint-plugin-prettier": "3.4.0",
     "jest": "^26.6.3",
     "jest-mock-extended": "^1.0.13",
     "moment-timezone": "^0.5.33",
     "nock": "^13.0.11",
+    "prettier": "2.3.1",
     "ts-jest": "^26.5.5",
     "ts-node-dev": "^1.1.6"
   },
   "dependencies": {
+    "@aws-sdk/client-ssm": "^3.18.0",
     "@octokit/auth-app": "3.4.0",
     "@octokit/rest": "^18.3.5",
     "@octokit/types": "^6.13.0",

modules/runners/lambdas/runners/src/lambda.ts

@@ -2,6 +2,7 @@ import { scaleUp } from './scale-runners/scale-up';
 import { scaleDown } from './scale-runners/scale-down';
 import { SQSEvent, ScheduledEvent, Context } from 'aws-lambda';
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
 module.exports.scaleUp = async (event: SQSEvent, context: Context, callback: any) => {
   console.dir(event, { depth: 5 });
   try {
@@ -15,6 +16,7 @@ module.exports.scaleUp = async (event: SQSEvent, context: Context, callback: any
   }
 };
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
 module.exports.scaleDown = async (event: ScheduledEvent, context: Context, callback: any) => {
   try {
     scaleDown();

modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts

@@ -2,15 +2,20 @@ import { createOctoClient, createGithubAuth } from './gh-auth';
 import nock from 'nock';
 import { createAppAuth } from '@octokit/auth-app';
 import { StrategyOptions } from '@octokit/auth-app/dist-types/types';
-import { decrypt } from './kms';
+import { getParameterValue } from './ssm';
 import { RequestInterface } from '@octokit/types';
 import { mock, MockProxy } from 'jest-mock-extended';
 import { request } from '@octokit/request';
+import { mocked } from 'ts-jest/utils';
 
-jest.mock('./kms');
+jest.mock('./ssm');
 jest.mock('@octokit/auth-app');
 
 const cleanEnv = process.env;
+const ENVIRONMENT = 'dev';
+const GITHUB_APP_ID = '1';
+const GITHUB_APP_CLIENT_ID = '1';
+const GITHUB_APP_CLIENT_SECRET = 'client_secret';
 
 beforeEach(() => {
   jest.resetModules();
@@ -46,8 +51,7 @@ describe('Test createGithubAuth', () => {
 });
 
 describe('Test createGithubAuth', () => {
-  const mockedDecrypt = (decrypt as unknown) as jest.Mock;
-  const mockedCreatAppAuth = (createAppAuth as unknown) as jest.Mock;
+  const mockedCreatAppAuth = createAppAuth as unknown as jest.Mock;
   const mockedDefaults = jest.spyOn(request, 'defaults');
   let mockedRequestInterface: MockProxy<RequestInterface>;
 
@@ -58,27 +62,28 @@ describe('Test createGithubAuth', () => {
   const b64 = Buffer.from(decryptedValue, 'binary').toString('base64');
 
   beforeEach(() => {
-    process.env.GITHUB_APP_ID = '1';
-    process.env.GITHUB_APP_CLIENT_SECRET = 'client_secret';
-    process.env.GITHUB_APP_KEY_BASE64 = 'base64';
-    process.env.KMS_KEY_ID = 'key_id';
-    process.env.ENVIRONMENT = 'dev';
-    process.env.GITHUB_APP_CLIENT_ID = '1';
+    process.env.ENVIRONMENT = ENVIRONMENT;
   });
 
   test('Creates auth object for public GitHub', async () => {
     // Arrange
     const authOptions = {
-      appId: parseInt(process.env.GITHUB_APP_ID as string),
-      privateKey: 'decryptedValue',
+      appId: parseInt(GITHUB_APP_ID),
+      privateKey: decryptedValue,
       installationId,
-      clientId: process.env.GITHUB_APP_CLIENT_ID,
-      clientSecret: 'decryptedValue',
+      clientId: GITHUB_APP_CLIENT_ID,
+      clientSecret: GITHUB_APP_CLIENT_SECRET,
     };
 
-    mockedDecrypt.mockResolvedValueOnce(decryptedValue).mockResolvedValueOnce(b64);
+    const mockedGet = mocked(getParameterValue);
+    mockedGet
+      .mockResolvedValueOnce(GITHUB_APP_ID)
+      .mockResolvedValueOnce(b64)
+      .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID)
+      .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET);
     const mockedAuth = jest.fn();
     mockedAuth.mockResolvedValue({ token });
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
     mockedCreatAppAuth.mockImplementation((authOptions: StrategyOptions) => {
       return mockedAuth;
     });
@@ -87,16 +92,11 @@ describe('Test createGithubAuth', () => {
     const result = await createGithubAuth(installationId, authType);
 
     // Assert
-    expect(mockedDecrypt).toBeCalledWith(
-      process.env.GITHUB_APP_CLIENT_SECRET,
-      process.env.KMS_KEY_ID,
-      process.env.ENVIRONMENT,
-    );
-    expect(mockedDecrypt).toBeCalledWith(
-      process.env.GITHUB_APP_KEY_BASE64,
-      process.env.KMS_KEY_ID,
-      process.env.ENVIRONMENT,
-    );
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_id');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_key_base64');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_id');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_secret');
+
     expect(mockedCreatAppAuth).toBeCalledTimes(1);
     expect(mockedCreatAppAuth).toBeCalledWith(authOptions);
     expect(mockedAuth).toBeCalledWith({ type: authType });
@@ -113,17 +113,70 @@ describe('Test createGithubAuth', () => {
     });
 
     const authOptions = {
-      appId: parseInt(process.env.GITHUB_APP_ID as string),
-      privateKey: 'decryptedValue',
+      appId: parseInt(GITHUB_APP_ID),
+      privateKey: decryptedValue,
       installationId,
-      clientId: process.env.GITHUB_APP_CLIENT_ID,
-      clientSecret: 'decryptedValue',
+      clientId: GITHUB_APP_CLIENT_ID,
+      clientSecret: GITHUB_APP_CLIENT_SECRET,
+      request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }),
+    };
+
+    const mockedGet = mocked(getParameterValue);
+    mockedGet
+      .mockResolvedValueOnce(GITHUB_APP_ID)
+      .mockResolvedValueOnce(b64)
+      .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID)
+      .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET);
+    const mockedAuth = jest.fn();
+    mockedAuth.mockResolvedValue({ token });
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    mockedCreatAppAuth.mockImplementation((authOptions: StrategyOptions) => {
+      return mockedAuth;
+    });
+
+    // Act
+    const result = await createGithubAuth(installationId, authType, githubServerUrl);
+
+    // Assert
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_id');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_key_base64');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_id');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_secret');
+
+    expect(mockedCreatAppAuth).toBeCalledTimes(1);
+    expect(mockedCreatAppAuth).toBeCalledWith(authOptions);
+    expect(mockedAuth).toBeCalledWith({ type: authType });
+    expect(result.token).toBe(token);
+  });
+
+  test('Creates auth object for Enterprise Server with no ID', async () => {
+    // Arrange
+    const githubServerUrl = 'https://github.enterprise.notgoingtowork';
+
+    mockedRequestInterface = mock<RequestInterface>();
+    mockedDefaults.mockImplementation(() => {
+      return mockedRequestInterface.defaults({ baseUrl: githubServerUrl });
+    });
+
+    const installationId = undefined;
+
+    const authOptions = {
+      appId: parseInt(GITHUB_APP_ID),
+      privateKey: decryptedValue,
+      clientId: GITHUB_APP_CLIENT_ID,
+      clientSecret: GITHUB_APP_CLIENT_SECRET,
       request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }),
     };
 
-    mockedDecrypt.mockResolvedValueOnce(decryptedValue).mockResolvedValueOnce(b64);
+    const mockedGet = mocked(getParameterValue);
+    mockedGet
+      .mockResolvedValueOnce(GITHUB_APP_ID)
+      .mockResolvedValueOnce(b64)
+      .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID)
+      .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET);
     const mockedAuth = jest.fn();
     mockedAuth.mockResolvedValue({ token });
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
     mockedCreatAppAuth.mockImplementation((authOptions: StrategyOptions) => {
       return mockedAuth;
     });
@@ -132,16 +185,11 @@ describe('Test createGithubAuth', () => {
     const result = await createGithubAuth(installationId, authType, githubServerUrl);
 
     // Assert
-    expect(mockedDecrypt).toBeCalledWith(
-      process.env.GITHUB_APP_CLIENT_SECRET,
-      process.env.KMS_KEY_ID,
-      process.env.ENVIRONMENT,
-    );
-    expect(mockedDecrypt).toBeCalledWith(
-      process.env.GITHUB_APP_KEY_BASE64,
-      process.env.KMS_KEY_ID,
-      process.env.ENVIRONMENT,
-    );
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_id');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_key_base64');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_id');
+    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_secret');
+
     expect(mockedCreatAppAuth).toBeCalledTimes(1);
     expect(mockedCreatAppAuth).toBeCalledWith(authOptions);
     expect(mockedAuth).toBeCalledWith({ type: authType });

modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts

@@ -1,14 +1,9 @@
 import { Octokit } from '@octokit/rest';
 import { request } from '@octokit/request';
 import { createAppAuth } from '@octokit/auth-app';
-import {
-  Authentication,
-  StrategyOptions,
-  AppAuthentication,
-  InstallationAccessTokenAuthentication,
-} from '@octokit/auth-app/dist-types/types';
+import { StrategyOptions, AppAuthentication } from '@octokit/auth-app/dist-types/types';
 import { OctokitOptions } from '@octokit/core/dist-types/types';
-import { decrypt } from './kms';
+import { getParameterValue } from './ssm';
 
 export async function createOctoClient(token: string, ghesApiUrl = ''): Promise<Octokit> {
   const ocktokitOptions: OctokitOptions = {
@@ -26,31 +21,13 @@ export async function createGithubAuth(
   authType: 'app' | 'installation',
   ghesApiUrl = '',
 ): Promise<AppAuthentication> {
-  const clientSecret = await decrypt(
-    process.env.GITHUB_APP_CLIENT_SECRET as string,
-    process.env.KMS_KEY_ID as string,
-    process.env.ENVIRONMENT as string,
-  );
-  const privateKeyBase64 = await decrypt(
-    process.env.GITHUB_APP_KEY_BASE64 as string,
-    process.env.KMS_KEY_ID as string,
-    process.env.ENVIRONMENT as string,
-  );
-
-  if (clientSecret === undefined || privateKeyBase64 === undefined) {
-    throw Error('Cannot decrypt.');
-  }
-
-  const privateKey = Buffer.from(privateKeyBase64, 'base64').toString();
-
-  const appId: number = parseInt(process.env.GITHUB_APP_ID as string);
-  const clientId = process.env.GITHUB_APP_CLIENT_ID as string;
+  const environment = process.env.ENVIRONMENT as string;
 
   let authOptions: StrategyOptions = {
-    appId,
-    privateKey,
-    clientId,
-    clientSecret,
+    appId: parseInt(await getParameterValue(environment, 'github_app_id')),
+    privateKey: Buffer.from(await getParameterValue(environment, 'github_app_key_base64'), 'base64').toString(),
+    clientId: await getParameterValue(environment, 'github_app_client_id'),
+    clientSecret: await getParameterValue(environment, 'github_app_client_secret'),
   };
   if (installationId) authOptions = { ...authOptions, installationId };