fix missing permission, update test example and add more logging

npalm · npalm · commit 17792c33c88e · 2025-06-22T12:30:05.000+02:00
diff --git a/examples/prebuilt/README.md b/examples/prebuilt/README.md
@@ -7,6 +7,18 @@ This module shows how to create GitHub action runners using a prebuilt AMI for t
 
 @@ Usages
 
+
+Steps for the full setup, such as creating a GitHub app can be found in the root module's [README](https://github.com/github-aws-runners/terraform-aws-github-runner). First download the Lambda releases from GitHub. Alternatively you can build the lambdas locally with Node or Docker, there is a simple build script in `<root>/.ci/build.sh`. In the `main.tf` you can simply remove the location of the lambda zip files, the default location will work in this case.
+
+> This example assumes local built lambda's available. Ensure you have built the lambda's. Alternatively you can download the lambda's. The version needs to be set to a GitHub release version, see https://github.com/github-aws-runners/terraform-aws-github-runner/releases
+
+```bash
+cd ../lambdas-download
+terraform init
+terraform apply -var=module_version=<VERSION>
+cd -
+```
+
 ### Packer Image
 
 You will need to build your image. This example deployment uses the image example in `/images/linux-amz2`. You must build this image with packer in your AWS account first. Once you have built this you need to provider your owner ID as a variable
diff --git a/examples/prebuilt/main.tf b/examples/prebuilt/main.tf
@@ -1,6 +1,6 @@
 locals {
-  environment = "prebuilt"
-  aws_region  = "eu-west-1"
+  environment = var.environment != null ? var.environment : "default"
+  aws_region  = var.aws_region
 }
 
 resource "random_id" "random" {
@@ -32,9 +32,12 @@ module "runners" {
     webhook_secret = random_id.random.hex
   }
 
-  webhook_lambda_zip                = "../lambdas-download/webhook.zip"
-  runner_binaries_syncer_lambda_zip = "../lambdas-download/runner-binaries-syncer.zip"
-  runners_lambda_zip                = "../lambdas-download/runners.zip"
+  # link to downloaded lambda zip files.
+  # When not explicitly set lambda zip files are grabbed from the module requiring lambda build.
+  #
+  # webhook_lambda_zip                = "../lambdas-download/webhook.zip"
+  # runner_binaries_syncer_lambda_zip = "../lambdas-download/runner-binaries-syncer.zip"
+  # runners_lambda_zip                = "../lambdas-download/runners.zip"
 
   runner_extra_labels = ["default", "example"]
 
@@ -56,6 +59,44 @@ module "runners" {
 
   # override scaling down
   scale_down_schedule_expression = "cron(* * * * ? *)"
+
+  enable_ami_housekeeper = true
+  ami_housekeeper_cleanup_config = {
+    ssmParameterNames = ["*/ami_id"]
+    minimumDaysOld    = 1
+    dryRun            = true
+    amiFilters = [
+      {
+        Name   = "name"
+        Values = ["*al2023*"]
+      }
+    ]
+  }
+
+  # variable "runners_ssm_housekeeper" {
+  #   description = <<EOF
+  #   Configuration for the SSM housekeeper lambda. This lambda deletes token / JIT config from SSM.
+
+  #   `schedule_expression`: is used to configure the schedule for the lambda.
+  #   `enabled`: enable or disable the lambda trigger via the EventBridge.
+  #   `lambda_memory_size`: lambda memery size limit.
+  #   `lambda_timeout`: timeout for the lambda in seconds.
+  #   `config`: configuration for the lambda function. Token path will be read by default from the module.
+  #   EOF
+  #   type = object({
+  #     schedule_expression = optional(string, "rate(1 day)")
+  #     enabled             = optional(bool, true)
+  #     lambda_memory_size  = optional(number, 512)
+  #     lambda_timeout      = optional(number, 60)
+  #     config = object({
+  #       tokenPath      = optional(string)
+  #       minimumDaysOld = optional(number, 1)
+  #       dryRun         = optional(bool, false)
+  #     })
+  #   })
+  #   default = { config = {} }
+
+  # log_level = "debug"
 }
 
 module "webhook_github_app" {
diff --git a/examples/prebuilt/variables.tf b/examples/prebuilt/variables.tf
@@ -7,6 +7,20 @@ variable "github_app" {
   })
 }
 
+variable "environment" {
+  description = "Environment name, used as prefix."
+
+  type    = string
+  default = null
+}
+
+variable "aws_region" {
+  description = "AWS region."
+
+  type    = string
+  default = "eu-west-1"
+}
+
 variable "runner_os" {
   description = "The EC2 Operating System type to use for action runner instances (linux,windows)."
 
diff --git a/images/.gitignore b/images/.gitignore
@@ -0,0 +1,28 @@
+# Created by https://www.toptal.com/developers/gitignore/api/packer
+# Edit at https://www.toptal.com/developers/gitignore?templates=packer
+
+### Packer ###
+# Cache objects
+packer_cache/
+
+# Crash log
+crash.log
+
+# https://www.packer.io/guides/hcl/variables
+# Exclude all .pkrvars.hcl files, which are likely to contain sensitive data,
+# such as password, private keys, and other secrets. These should not be part of
+# version control as they are data points which are potentially sensitive and
+# subject to change depending on the environment.
+#
+*.pkrvars.hcl
+
+# For built boxes
+*.box
+
+### Packer Patch ###
+# ignore temporary output files
+output-*/
+
+# End of https://www.toptal.com/developers/gitignore/api/packer
+
+**/manifest.json
diff --git a/lambdas/functions/ami-housekeeper/src/ami.ts b/lambdas/functions/ami-housekeeper/src/ami.ts
@@ -217,11 +217,15 @@ async function getAmiInLatestTemplates(options: AmiCleanupOptions): Promise<(str
 
   // Discover launch templates, optionally filtered by specific names. If no
   // names provided, this will return all launch templates in the account
+  logger.debug('Describing launch templates', {
+    launchTemplateNames: options.launchTemplateNames,
+  });
   const launchTemplates = await ec2Client.send(
     new DescribeLaunchTemplatesCommand({
       LaunchTemplateNames: options.launchTemplateNames,
     }),
   );
+  logger.debug('Found launch templates', { launchTemplates });
 
   // For each template, fetch the default version and resolve any SSM aliases.
   const amiIdsNested = await Promise.all(
@@ -236,10 +240,12 @@ async function getAmiInLatestTemplates(options: AmiCleanupOptions): Promise<(str
         }),
       );
 
+      logger.debug('Found launch template versions', { versionsResp });
       return (versionsResp.LaunchTemplateVersions ?? []).map((v) => v.LaunchTemplateData?.ImageId);
     }),
   );
 
+  logger.debug('Found AMIs in launch templates', { amiIdsNested });
   return amiIdsNested.flat();
 }
 
@@ -283,6 +289,7 @@ async function getAmisReferedInSSM(options: AmiCleanupOptions): Promise<(string
 
     try {
       // Discover parameters matching the wildcard patterns
+      logger.debug('Describing SSM parameter', { filters });
       const ssmParameters = await ssmClient.send(new DescribeParametersCommand({ ParameterFilters: filters }));
 
       // Fetch the actual values of discovered parameters
@@ -296,6 +303,7 @@ async function getAmisReferedInSSM(options: AmiCleanupOptions): Promise<(string
 
   // Combine results from both explicit and wildcard parameter resolution
   const values = await Promise.all([explicitValuesPromise, wildcardValues]);
+  logger.debug('Resolved SSM parameter values', { values });
   return values.flat();
 }
 
diff --git a/modules/ami-housekeeper/policies/lambda-ami-housekeeper.json b/modules/ami-housekeeper/policies/lambda-ami-housekeeper.json
@@ -11,6 +11,7 @@
         "ec2:DeregisterImage",
         "ec2:DeleteSnapshot",
         "ssm:DescribeParameters",
+        "ssm:GetParameters",
         "ssm:GetParameter"
       ],
       "Resource": "*"
