cleanup, refactor

Author: npalm

main.tf

@@ -37,15 +37,6 @@ module "webhook" {
   lambda_timeout = var.webhook_lambda_timeout
 }
 
-resource "aws_iam_role_policy" "webhook" {
-  name = "${var.environment}-lambda-webhook-publish-sqs-policy"
-  role = module.webhook.role.name
-
-  policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
-    sqs_resource_arn = aws_sqs_queue.queued_builds.arn
-  })
-}
-
 module "runners" {
   source = "./modules/runners"
 
@@ -58,7 +49,7 @@ module "runners" {
   s3_bucket_runner_binaries   = module.runner_binaries.bucket
   s3_location_runner_binaries = local.s3_action_runner_url
 
-  sqs                             = aws_sqs_queue.queued_builds
+  sqs_build_queue                 = aws_sqs_queue.queued_builds
   github_app                      = var.github_app
   enable_organization_runners     = var.enable_organization_runners
   scale_down_schedule_expression  = var.scale_down_schedule_expression
@@ -85,20 +76,9 @@ module "runner_binaries" {
 
 resource "aws_resourcegroups_group" "resourcegroups_group" {
   name = "${var.environment}-group"
-
   resource_query {
-    query = <<-JSON
-{
-  "ResourceTypeFilters": [
-    "AWS::AllSupported"
-  ],
-  "TagFilters": [
-    {
-      "Key": "Environment",
-      "Values": ["${var.environment}"]
-    }
-  ]
-}
-  JSON
+    query = templatefile("${path.module}/templates/resource-group.json", {
+      environment = var.environment
+    })
   }
 }

modules/runners/outputs.tf

@@ -2,6 +2,22 @@ output "launch_template" {
   value = aws_launch_template.runner
 }
 
-output "role" {
+output "role_runner" {
   value = aws_iam_role.runner
 }
+
+output "lambda_scale_up" {
+  value = aws_lambda_function.scale_up
+}
+
+output "role_scale_up" {
+  value = aws_iam_role.scale_up
+}
+
+output "lambda_scale_down" {
+  value = aws_lambda_function.scale_down
+}
+
+output "role_scale_down" {
+  value = aws_iam_role.scale_down
+}

modules/runners/scale-up.tf

@@ -24,7 +24,7 @@ resource "aws_lambda_function" "scale_up" {
 }
 
 resource "aws_lambda_event_source_mapping" "scale_up" {
-  event_source_arn = var.sqs.arn
+  event_source_arn = var.sqs_build_queue.arn
   function_name    = aws_lambda_function.scale_up.arn
 }
 
@@ -33,7 +33,7 @@ resource "aws_lambda_permission" "scale_runners_lambda" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.scale_up.function_name
   principal     = "sqs.amazonaws.com"
-  source_arn    = var.sqs.arn
+  source_arn    = var.sqs_build_queue.arn
 }
 
 resource "aws_iam_role" "scale_up" {
@@ -47,6 +47,6 @@ resource "aws_iam_role_policy" "scale_up" {
 
   policy = templatefile("${path.module}/policies/lambda-scale-up.json", {
     arn_runner_instance_role = aws_iam_role.runner.arn
-    sqs_arn                  = var.sqs.arn
+    sqs_arn                  = var.sqs_build_queue.arn
   })
 }

modules/runners/variables.tf

@@ -92,7 +92,12 @@ variable "userdata_post_install" {
   default     = ""
 }
 
-variable "sqs" {}
+variable "sqs_build_queue" {
+  description = "SQS queue to consume accepted build events."
+  type = object({
+    arn = string
+  })
+}
 
 variable "enable_organization_runners" {
   type = bool

modules/webhook/main.tf

@@ -47,53 +47,3 @@ resource "aws_apigatewayv2_integration" "webhook" {
   integration_method = "POST"
   integration_uri    = aws_lambda_function.webhook.invoke_arn
 }
-
-resource "aws_lambda_function" "webhook" {
-  filename         = local.lambda_zip
-  source_code_hash = filebase64sha256(local.lambda_zip)
-  function_name    = "${var.environment}-webhook"
-  role             = aws_iam_role.webhook_lambda.arn
-  handler          = "index.githubWebhook"
-  runtime          = "nodejs12.x"
-  timeout          = var.lambda_timeout
-
-  environment {
-    variables = {
-      GITHUB_APP_WEBHOOK_SECRET = var.github_app_webhook_secret
-      SQS_URL_WEBHOOK           = var.sqs_build_queue.id
-    }
-  }
-
-  tags = var.tags
-}
-
-resource "aws_lambda_permission" "webhook" {
-  statement_id  = "AllowExecutionFromAPIGateway"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.webhook.function_name
-  principal     = "apigateway.amazonaws.com"
-  source_arn    = "${aws_apigatewayv2_api.webhook.execution_arn}/*/*/${local.webhook_endpoint}"
-}
-
-data "aws_iam_policy_document" "lambda_assume_role_policy" {
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["lambda.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "webhook_lambda" {
-  name               = "${var.environment}-action-webhook-lambda-role"
-  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
-  tags               = var.tags
-}
-
-resource "aws_iam_role_policy" "webhook_logging" {
-  name   = "${var.environment}-lamda-logging-policy"
-  role   = aws_iam_role.webhook_lambda.name
-  policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {})
-}

modules/webhook/outputs.tf

@@ -9,3 +9,7 @@ output "lambda" {
 output "role" {
   value = aws_iam_role.webhook_lambda
 }
+
+output "endpoint_relative_path" {
+  value = local.webhook_endpoint
+}

modules/webhook/policies/lambda-publish-sqs-policy.json

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],
+      "Resource": "${sqs_resource_arn}"
+    }
+  ]
+}

modules/webhook/variables.tf

@@ -19,16 +19,13 @@ variable "tags" {
 }
 
 variable "sqs_build_queue" {
+  description = "SQS queue to publish accepted build events."
   type = object({
-    id = string
+    id  = string
+    arn = string
   })
 }
 
-variable "create_sqs_publish_policy" {
-  type    = bool
-  default = true
-}
-
 variable "lambda_zip" {
   description = "File location of the lambda zip file."
   type        = string

modules/webhook/webhook.tf

@@ -0,0 +1,58 @@
+resource "aws_lambda_function" "webhook" {
+  filename         = local.lambda_zip
+  source_code_hash = filebase64sha256(local.lambda_zip)
+  function_name    = "${var.environment}-webhook"
+  role             = aws_iam_role.webhook_lambda.arn
+  handler          = "index.githubWebhook"
+  runtime          = "nodejs12.x"
+  timeout          = var.lambda_timeout
+
+  environment {
+    variables = {
+      GITHUB_APP_WEBHOOK_SECRET = var.github_app_webhook_secret
+      SQS_URL_WEBHOOK           = var.sqs_build_queue.id
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "aws_lambda_permission" "webhook" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.webhook.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.webhook.execution_arn}/*/*/${local.webhook_endpoint}"
+}
+
+data "aws_iam_policy_document" "lambda_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "webhook_lambda" {
+  name               = "${var.environment}-action-webhook-lambda-role"
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
+  tags               = var.tags
+}
+
+resource "aws_iam_role_policy" "webhook_logging" {
+  name   = "${var.environment}-lamda-logging-policy"
+  role   = aws_iam_role.webhook_lambda.name
+  policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {})
+}
+
+resource "aws_iam_role_policy" "webhook_sqs" {
+  name = "${var.environment}-lambda-webhook-publish-sqs-policy"
+  role = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
+    sqs_resource_arn = var.sqs_build_queue.arn
+  })
+}

outputs.tf

@@ -3,6 +3,11 @@ output "runners" {
     launch_template_name    = module.runners.launch_template.name
     launch_template_id      = module.runners.launch_template.id
     launch_template_version = module.runners.launch_template.latest_version
+    lambda_up               = module.runners.lambda_scale_up
+    lambda_down             = module.runners.lambda_scale_down
+    role_runner             = module.runners.role_runner
+    role_scale_up           = module.runners.role_scale_up
+    role_scale_down         = module.runners.role_scale_down
   }
 }
 
@@ -19,5 +24,7 @@ output "webhook" {
     gateway     = module.webhook.gateway
     lambda      = module.webhook.lambda
     lambda_role = module.webhook.role
+    endpoint    = "${module.webhook.gateway.api_endpoint}/${module.webhook.endpoint_relative_path}"
   }
 }
+