ensure roles are unique

npalm · npalm · commit 33cc133619ae · 2025-09-03T23:41:01.000+02:00
diff --git a/modules/ami-housekeeper/main.tf b/modules/ami-housekeeper/main.tf
@@ -55,7 +55,7 @@ resource "aws_cloudwatch_log_group" "ami_housekeeper" {
 }
 
 resource "aws_iam_role" "ami_housekeeper" {
-  name                 = substr("${var.prefix}-ami-housekeeper-role", 0, 63)
+  name                 = "${substr("${var.prefix}-ami-housekeeper-role", 0, 54)}-${substr(md5("${var.prefix}-ami-housekeeper-role"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary
diff --git a/modules/lambda/main.tf b/modules/lambda/main.tf
@@ -60,7 +60,7 @@ resource "aws_cloudwatch_log_group" "main" {
 }
 
 resource "aws_iam_role" "main" {
-  name                 = substr("${var.lambda.prefix}-${var.lambda.name}", 0, 63)
+  name                 = "${substr("${var.lambda.prefix}-${var.lambda.name}", 0, 54)}-${substr(md5("${var.lambda.prefix}-${var.lambda.name}"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.lambda.role_permissions_boundary
diff --git a/modules/runners/policies-runner.tf b/modules/runners/policies-runner.tf
@@ -1,7 +1,7 @@
 data "aws_caller_identity" "current" {}
 
 resource "aws_iam_role" "runner" {
-  name                 = substr("${var.prefix}-runner-role", 0, 63)
+  name                 = "${substr("${var.prefix}-runner-role", 0, 54)}-${substr(md5("${var.prefix}-runner-role"), 0, 8)}"
   assume_role_policy   = templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
@@ -74,7 +74,7 @@ resource "aws_cloudwatch_log_group" "pool" {
 }
 
 resource "aws_iam_role" "pool" {
-  name                 = substr("${var.config.prefix}-action-pool-lambda-role", 0, 63)
+  name                 = "${substr("${var.config.prefix}-action-pool-lambda-role", 0, 54)}-${substr(md5("${var.config.prefix}-action-pool-lambda-role"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = var.config.role_path
   permissions_boundary = var.config.role_permissions_boundary
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
@@ -85,7 +85,7 @@ resource "aws_lambda_permission" "scale_down" {
 }
 
 resource "aws_iam_role" "scale_down" {
-  name                 = substr("${var.prefix}-action-scale-down-lambda-role", 0, 63)
+  name                 = "${substr("${var.prefix}-action-scale-down-lambda-role", 0, 54)}-${substr(md5("${var.prefix}-action-scale-down-lambda-role"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
@@ -101,7 +101,7 @@ resource "aws_lambda_permission" "scale_runners_lambda" {
 }
 
 resource "aws_iam_role" "scale_up" {
-  name                 = substr("${var.prefix}-action-scale-up-lambda-role", 0, 63)
+  name                 = "${substr("${var.prefix}-action-scale-up-lambda-role", 0, 54)}-${substr(md5("${var.prefix}-action-scale-up-lambda-role"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary
diff --git a/modules/runners/ssm-housekeeper.tf b/modules/runners/ssm-housekeeper.tf
@@ -83,7 +83,7 @@ resource "aws_lambda_permission" "ssm_housekeeper" {
 }
 
 resource "aws_iam_role" "ssm_housekeeper" {
-  name                 = substr("${var.prefix}-ssm-hk-lambda", 0, 63)
+  name                 = "${substr("${var.prefix}-ssm-hk-lambda", 0, 54)}-${substr(md5("${var.prefix}-ssm-hk-lambda"), 0, 8)}"
   description          = "Lambda role for SSM Housekeeper (${var.prefix})"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
diff --git a/modules/setup-iam-permissions/main.tf b/modules/setup-iam-permissions/main.tf
@@ -1,7 +1,7 @@
 data "aws_caller_identity" "current" {}
 
 resource "aws_iam_role" "deploy" {
-  name = substr("${var.prefix}-terraform", 0, 63)
+  name = "${substr("${var.prefix}-terraform", 0, 54)}-${substr(md5("${var.prefix}-terraform"), 0, 8)}"
 
   permissions_boundary = aws_iam_policy.deploy_boundary.arn
   assume_role_policy = templatefile("${path.module}/policies/assume-role-for-account.json", {
diff --git a/modules/webhook/direct/webhook.tf b/modules/webhook/direct/webhook.tf
@@ -90,7 +90,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
 }
 
 resource "aws_iam_role" "webhook_lambda" {
-  name                 = substr("${var.config.prefix}-direct-webhook-lambda-role", 0, 63)
+  name                 = "${substr("${var.config.prefix}-direct-webhook-lambda-role", 0, 54)}-${substr(md5("${var.config.prefix}-direct-webhook-lambda-role"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = var.config.role_path
   permissions_boundary = var.config.role_permissions_boundary
diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf
@@ -85,7 +85,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda" {
 }
 
 resource "aws_iam_role" "dispatcher_lambda" {
-  name                 = substr("${var.config.prefix}-dispatcher-lambda-role", 0, 63)
+  name                 = "${substr("${var.config.prefix}-dispatcher-lambda-role", 0, 54)}-${substr(md5("${var.config.prefix}-dispatcher-lambda-role"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = var.config.role_path
   permissions_boundary = var.config.role_permissions_boundary
diff --git a/modules/webhook/eventbridge/webhook.tf b/modules/webhook/eventbridge/webhook.tf
@@ -89,7 +89,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
 }
 
 resource "aws_iam_role" "webhook_lambda" {
-  name                 = substr("${var.config.prefix}-eventbridge-webhook-lambda-role", 0, 63)
+  name                 = "${substr("${var.config.prefix}-eventbridge-webhook-lambda-role", 0, 54)}-${substr(md5("${var.config.prefix}-eventbridge-webhook-lambda-role"), 0, 8)}"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = var.config.role_path
   permissions_boundary = var.config.role_permissions_boundary

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ resource "aws_cloudwatch_log_group" "ami_housekeeper" {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`resource "aws_iam_role" "ami_housekeeper" {`
`58`		`- name = substr("${var.prefix}-ami-housekeeper-role", 0, 63)`
	`58`	`+ name = "${substr("${var.prefix}-ami-housekeeper-role", 0, 54)}-${substr(md5("${var.prefix}-ami-housekeeper-role"), 0, 8)}"`
`59`	`59`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json`
`60`	`60`	`path = local.role_path`
`61`	`61`	`permissions_boundary = var.role_permissions_boundary`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ resource "aws_cloudwatch_log_group" "main" {`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`resource "aws_iam_role" "main" {`
`63`		`- name = substr("${var.lambda.prefix}-${var.lambda.name}", 0, 63)`
	`63`	`+ name = "${substr("${var.lambda.prefix}-${var.lambda.name}", 0, 54)}-${substr(md5("${var.lambda.prefix}-${var.lambda.name}"), 0, 8)}"`
`64`	`64`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json`
`65`	`65`	`path = local.role_path`
`66`	`66`	`permissions_boundary = var.lambda.role_permissions_boundary`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ resource "aws_cloudwatch_log_group" "pool" {`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`resource "aws_iam_role" "pool" {`
`77`		`- name = substr("${var.config.prefix}-action-pool-lambda-role", 0, 63)`
	`77`	`+ name = "${substr("${var.config.prefix}-action-pool-lambda-role", 0, 54)}-${substr(md5("${var.config.prefix}-action-pool-lambda-role"), 0, 8)}"`
`78`	`78`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json`
`79`	`79`	`path = var.config.role_path`
`80`	`80`	`permissions_boundary = var.config.role_permissions_boundary`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ resource "aws_lambda_permission" "scale_down" {`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`resource "aws_iam_role" "scale_down" {`
`88`		`- name = substr("${var.prefix}-action-scale-down-lambda-role", 0, 63)`
	`88`	`+ name = "${substr("${var.prefix}-action-scale-down-lambda-role", 0, 54)}-${substr(md5("${var.prefix}-action-scale-down-lambda-role"), 0, 8)}"`
`89`	`89`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json`
`90`	`90`	`path = local.role_path`
`91`	`91`	`permissions_boundary = var.role_permissions_boundary`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ resource "aws_lambda_permission" "scale_runners_lambda" {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`resource "aws_iam_role" "scale_up" {`
`104`		`- name = substr("${var.prefix}-action-scale-up-lambda-role", 0, 63)`
	`104`	`+ name = "${substr("${var.prefix}-action-scale-up-lambda-role", 0, 54)}-${substr(md5("${var.prefix}-action-scale-up-lambda-role"), 0, 8)}"`
`105`	`105`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json`
`106`	`106`	`path = local.role_path`
`107`	`107`	`permissions_boundary = var.role_permissions_boundary`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ resource "aws_lambda_permission" "ssm_housekeeper" {`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`resource "aws_iam_role" "ssm_housekeeper" {`
`86`		`- name = substr("${var.prefix}-ssm-hk-lambda", 0, 63)`
	`86`	`+ name = "${substr("${var.prefix}-ssm-hk-lambda", 0, 54)}-${substr(md5("${var.prefix}-ssm-hk-lambda"), 0, 8)}"`
`87`	`87`	`description = "Lambda role for SSM Housekeeper (${var.prefix})"`
`88`	`88`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json`
`89`	`89`	`path = local.role_path`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`resource "aws_iam_role" "webhook_lambda" {`
`93`		`- name = substr("${var.config.prefix}-direct-webhook-lambda-role", 0, 63)`
	`93`	`+ name = "${substr("${var.config.prefix}-direct-webhook-lambda-role", 0, 54)}-${substr(md5("${var.config.prefix}-direct-webhook-lambda-role"), 0, 8)}"`
`94`	`94`	`assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json`
`95`	`95`	`path = var.config.role_path`
`96`	`96`	`permissions_boundary = var.config.role_permissions_boundary`