Merge pull request #6 from andrewhibbert/fix_scheduler_multi_region

tonymills · web-flow · commit c28df85180e7 · 2025-11-17T14:14:41.000Z
fix: Make schedule policies work in multiple regions
diff --git a/examples/cloudtrail/main.tf b/examples/cloudtrail/main.tf
@@ -14,7 +14,7 @@ module "cloud_custodian_s3" {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = "${local.prefix}cloudtrail"
+  name               = "${local.prefix}cloudtrail-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
diff --git a/examples/cloudtrail/templates/policy.yaml.tpl b/examples/cloudtrail/templates/policy.yaml.tpl
@@ -11,7 +11,7 @@ policies:
       output_dir: s3://${prefix}cloudtrail-${account_id}/output
       cache_dir: s3://${prefix}cloudtrail-${account_id}/cache
       cache_period: 15
-    role: arn:aws:iam::${account_id}:role/${prefix}cloudtrail
+    role: arn:aws:iam::${account_id}:role/${prefix}cloudtrail-lambda
     events:
     - source: ec2.amazonaws.com
       event: AuthorizeSecurityGroupIngress
diff --git a/examples/config-rule/main.tf b/examples/config-rule/main.tf
@@ -14,7 +14,7 @@ module "cloud_custodian_s3" {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = "${local.prefix}config-rule"
+  name               = "${local.prefix}config-rule-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
@@ -124,7 +124,7 @@ module "cloud_custodian_lambda" {
           "cache_dir": "s3://${local.prefix}config-rule-${local.account_id}/cache",
           "cache_period": 15
         },
-        "role": "arn:aws:iam::${local.account_id}:role/${local.prefix}config-rule"
+        "role": "arn:aws:iam::${local.account_id}:role/${local.prefix}config-rule-lambda"
       },
       "resource": "ec2",
       "filters": [
diff --git a/examples/ec2-instance-state/main.tf b/examples/ec2-instance-state/main.tf
@@ -14,7 +14,7 @@ module "cloud_custodian_s3" {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = "${local.prefix}ec2-instance-state"
+  name               = "${local.prefix}ec2-instance-state-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
@@ -102,7 +102,7 @@ module "cloud_custodian_lambda" {
           "cache_dir": "s3://${local.prefix}ec2-instance-state-${local.account_id}/cache",
           "cache_period": 15
         },
-        "role": "arn:aws:iam::${local.account_id}:role/custodian-dev-ec2-instance-state",
+        "role": "arn:aws:iam::${local.account_id}:role/${local.prefix}ec2-instance-state-lambda",
         "events": [
           "terminated"
         ]
diff --git a/examples/mailer/main.tf b/examples/mailer/main.tf
@@ -6,7 +6,7 @@ locals {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = local.lambda_name
+  name               = "${local.lambda_name}-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
diff --git a/examples/mailer/templates/mailer.yaml.tpl b/examples/mailer/templates/mailer.yaml.tpl
@@ -2,6 +2,6 @@
 lambda_name: "${lambda_name}"
 lambda_schedule: rate(10 minutes)
 queue_url: https://sqs.us-east-1.amazonaws.com/${account_id}/c7n-mailer-test
-role: arn:aws:iam::${account_id}:role/${lambda_name}
+role: arn:aws:iam::${account_id}:role/${lambda_name}-lambda
 slack_token: xoxo-token123
 region: ${region}
diff --git a/examples/multi-policies/main.tf b/examples/multi-policies/main.tf
@@ -13,7 +13,7 @@ module "cloud_custodian_s3" {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = "${local.prefix}multi-policies"
+  name               = "${local.prefix}multi-policies-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
@@ -73,6 +73,43 @@ data "aws_iam_policy_document" "custodian" {
   }
 }
 
+resource "aws_iam_role" "scheduler" {
+  name               = "${local.prefix}multi-policies-scheduler"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "scheduler.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "scheduler" {
+  role = aws_iam_role.scheduler.id
+
+  policy = data.aws_iam_policy_document.scheduler.json
+}
+
+data "aws_iam_policy_document" "scheduler" {
+  statement {
+    actions = [
+      "lambda:InvokeFunction",
+    ]
+
+    resources = [
+      "arn:aws:lambda:*:${local.account_id}:function:${local.prefix}*",
+    ]
+  }
+}
+
 module "custodian_policies" {
   source = "../../modules/cloud-custodian-lambda-policies"
 
@@ -84,6 +121,7 @@ module "custodian_policies" {
 
   depends_on = [
     module.cloud_custodian_s3,
-    aws_iam_role.custodian
+    aws_iam_role.custodian,
+    aws_iam_role.scheduler
   ]
 }
diff --git a/examples/multi-policies/templates/policies.yaml.tpl b/examples/multi-policies/templates/policies.yaml.tpl
@@ -6,7 +6,7 @@ vars:
 policies:
 - name: ami-age
   mode:
-    type: periodic
+    type: schedule
     function-prefix: "${prefix}"
     execution-options:
       metrics_enabled: true
@@ -16,18 +16,16 @@ policies:
       cache_dir: s3://${prefix}multi-policies-${account_id}/cache
       cache_period: 15
     schedule: cron(0 11 ? * 3 *)
-    role: "${prefix}multi-policies"
-    timeout: 300
-    memory: 256
-    tags:
-      Test: 'true'
+    timezone: Europe/London
+    scheduler-role: ${prefix}multi-policies-scheduler
+    role: ${prefix}multi-policies-lambda
   resource: ami
   filters:
   - and: *image-age-filters
 
 - name: ec2-ami-age
   mode:
-    type: periodic
+    type: schedule
     function-prefix: "${prefix}"
     execution-options:
       metrics_enabled: true
@@ -37,12 +35,32 @@ policies:
       cache_dir: s3://${prefix}multi-policies-${account_id}/cache
       cache_period: 15
     schedule: cron(0 11 ? * 3 *)
-    role: "${prefix}multi-policies"
-    timeout: 300
-    memory: 256
-    tags:
-      Test: 'true'
+    timezone: Europe/London
+    scheduler-role: ${prefix}multi-policies-scheduler
+    role: ${prefix}multi-policies-lambda
   resource: ec2
   filters:
   - and: *image-age-filters
   - "State.Name": "running"
+
+- name: ec2-public-ami
+  mode:
+    type: ec2-instance-state
+    function-prefix: "${prefix}"
+    execution-options:
+      metrics_enabled: true
+      dryrun: false
+      log_group: "/cloud-custodian/policies"
+      output_dir: s3://${prefix}multi-policies-${account_id}/output
+      cache_dir: s3://${prefix}multi-policies-${account_id}/cache
+      cache_period: 15
+    role: "${prefix}multi-policies-lambda"
+    events:
+    - pending
+    - running
+  resource: ec2
+  filters:
+  - and:
+    - type: image
+      key: Public
+      value: true
diff --git a/examples/multi-region/main.tf b/examples/multi-region/main.tf
@@ -13,7 +13,7 @@ module "cloud_custodian_s3" {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = "${local.prefix}multi-region"
+  name               = "${local.prefix}multi-region-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
diff --git a/examples/multi-region/templates/policy.yaml.tpl b/examples/multi-region/templates/policy.yaml.tpl
@@ -16,7 +16,7 @@ policies:
       cache_dir: s3://${prefix}multi-region-${account_id}/cache
       cache_period: 15
     schedule: cron(0 11 ? * 3 *)
-    role: "${prefix}multi-region"
+    role: "${prefix}multi-region-lambda"
     timeout: 300
     memory: 256
     tags:
diff --git a/examples/periodic/main.tf b/examples/periodic/main.tf
@@ -14,7 +14,7 @@ module "cloud_custodian_s3" {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = "${local.prefix}periodic"
+  name               = "${local.prefix}periodic-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
diff --git a/examples/periodic/templates/policy.yaml.tpl b/examples/periodic/templates/policy.yaml.tpl
@@ -16,7 +16,7 @@ policies:
       cache_dir: s3://${prefix}periodic-${account_id}/cache
       cache_period: 15
     schedule: rate(5 minutes)
-    role: "${prefix}periodic"
+    role: "${prefix}periodic-lambda"
     timeout: 300
     memory: 256
     tags:
diff --git a/examples/schedule/main.tf b/examples/schedule/main.tf
@@ -14,7 +14,7 @@ module "cloud_custodian_s3" {
 }
 
 resource "aws_iam_role" "custodian" {
-  name               = "${local.prefix}schedule"
+  name               = "${local.prefix}schedule-lambda"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
@@ -74,7 +74,7 @@ data "aws_iam_policy_document" "custodian" {
 }
 
 resource "aws_iam_role" "scheduler" {
-  name               = "${local.prefix}scheduler"
+  name               = "${local.prefix}schedule-scheduler"
   assume_role_policy = <<EOF
 {
   "Version": "2012-10-17",
diff --git a/examples/schedule/templates/policy.yaml.tpl b/examples/schedule/templates/policy.yaml.tpl
@@ -18,8 +18,8 @@ policies:
     schedule: rate(5 minutes)
     timezone: Europe/London
     group-name: ${prefix}schedule-group
-    scheduler-role: arn:aws:iam::${account_id}:role/${prefix}scheduler
-    role: "${prefix}schedule"
+    scheduler-role: ${prefix}schedule-scheduler
+    role: ${prefix}schedule-lambda
   resource: ami
   filters:
   - and: *image-age-filters
diff --git a/main.tf b/main.tf
@@ -37,12 +37,15 @@ locals {
   periodic_mode = local.mode_type == "periodic" && local.schedule != null && local.schedule != ""
   schedule      = try(local.policy_obj.mode.schedule, null)
 
-  schedule_mode           = local.mode_type == "schedule" && local.schedule != null && local.schedule != ""
-  schedule_timezone       = try(local.policy_obj.mode.timezone, "Etc/UTC")
-  schedule_group_name     = try(local.policy_obj.mode["group-name"], "default")
-  schedule_scheduler_role = try(local.policy_obj.mode["scheduler-role"], null)
-  schedule_start_date     = try(local.policy_obj.mode["start-date"], null)
-  schedule_end_date       = try(local.policy_obj.mode["end-date"], null)
+  schedule_mode        = local.mode_type == "schedule" && local.schedule != null && local.schedule != ""
+  schedule_timezone    = try(local.policy_obj.mode.timezone, "Etc/UTC")
+  schedule_group_name  = try(local.policy_obj.mode["group-name"], "default")
+  scheduler_role_input = try(local.policy_obj.mode["scheduler-role"], null)
+  scheduler_role = local.scheduler_role_input != null ? (
+    startswith(local.scheduler_role_input, "arn:") ? local.scheduler_role_input : data.aws_iam_role.scheduler_role[0].arn
+  ) : null
+  schedule_start_date = try(local.policy_obj.mode["start-date"], null)
+  schedule_end_date   = try(local.policy_obj.mode["end-date"], null)
 
   cloudwatch_event_mode = contains([
     "cloudtrail",
@@ -185,8 +188,14 @@ resource "aws_lambda_permission" "periodic" {
   }
 }
 
+data "aws_iam_role" "scheduler_role" {
+  count = local.scheduler_role_input != null && !startswith(local.scheduler_role_input, "arn:") ? 1 : 0
+  name  = local.scheduler_role_input
+}
+
 resource "aws_scheduler_schedule" "schedule" {
   for_each = local.schedule_mode ? toset(local.regions) : []
+  region   = each.key
 
   name       = local.function_name
   group_name = local.schedule_group_name
@@ -205,7 +214,7 @@ resource "aws_scheduler_schedule" "schedule" {
 
   target {
     arn      = aws_lambda_function.custodian[each.key].arn
-    role_arn = local.schedule_scheduler_role
+    role_arn = local.scheduler_role
   }
 
   lifecycle {
@@ -215,8 +224,9 @@ resource "aws_scheduler_schedule" "schedule" {
 
 resource "aws_lambda_permission" "schedule" {
   for_each = local.schedule_mode ? toset(local.regions) : []
+  region   = each.key
 
-  statement_id  = "${local.function_name}-scheduler"
+  statement_id  = local.function_name
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.custodian[each.key].function_name
   principal     = "scheduler.amazonaws.com"

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ module "cloud_custodian_s3" {`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`resource "aws_iam_role" "custodian" {`
`17`		`- name = "${local.prefix}cloudtrail"`
	`17`	`+ name = "${local.prefix}cloudtrail-lambda"`
`18`	`18`	`assume_role_policy = <<EOF`
`19`	`19`	`{`
`20`	`20`	`"Version": "2012-10-17",`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ locals {`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`resource "aws_iam_role" "custodian" {`
`9`		`- name = local.lambda_name`
	`9`	`+ name = "${local.lambda_name}-lambda"`
`10`	`10`	`assume_role_policy = <<EOF`
`11`	`11`	`{`
`12`	`12`	`"Version": "2012-10-17",`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ module "cloud_custodian_s3" {`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`resource "aws_iam_role" "custodian" {`
`16`		`- name = "${local.prefix}multi-region"`
	`16`	`+ name = "${local.prefix}multi-region-lambda"`
`17`	`17`	`assume_role_policy = <<EOF`
`18`	`18`	`{`
`19`	`19`	`"Version": "2012-10-17",`