refactor: move queue policy to sqs policy instead off ssm

npalm · npalm · commit 932daae0484e · 2023-03-30T14:40:21.000+02:00
diff --git a/modules/webhook/policies/lambda-publish-sqs-policy.json b/modules/webhook/policies/lambda-publish-sqs-policy.json
@@ -5,6 +5,16 @@
       "Effect": "Allow",
       "Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],
       "Resource": ${sqs_resource_arns}
+      %{ if kms_key_arn != "" ~}
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+        ],
+        "Resource": "${kms_key_arn}"
+    %{ endif ~}
     }
   ]
 }
diff --git a/modules/webhook/policies/lambda-ssm.json b/modules/webhook/policies/lambda-ssm.json
@@ -2,23 +2,13 @@
   "Version": "2012-10-17",
   "Statement": [
     {
-        "Effect": "Allow",
-        "Action": [
-            "ssm:GetParameter"
-        ],
-        "Resource": [
-            "${github_app_webhook_secret_arn}"
-        ]
-    %{ if kms_key_arn != "" ~}
-    },
-    {
-        "Effect": "Allow",
-        "Action": [
-            "kms:Decrypt",
-            "kms:GenerateDataKey"
-        ],
-        "Resource": "${kms_key_arn}"
-    %{ endif ~}
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameter"
+      ],
+      "Resource": [
+        "${github_app_webhook_secret_arn}"
+      ]
     }
   ]
 }
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
@@ -88,6 +88,7 @@ resource "aws_iam_role_policy" "webhook_sqs" {
 
   policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode([for k, v in var.runner_config : v.arn])
+    kms_key_arn       = var.kms_key_arn != null ? var.kms_key_arn : ""
   })
 }
 
@@ -98,6 +99,7 @@ resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
 
   policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode([var.sqs_workflow_job_queue.arn])
+    kms_key_arn       = var.kms_key_arn != null ? var.kms_key_arn : ""
   })
 }
 
@@ -107,6 +109,5 @@ resource "aws_iam_role_policy" "webhook_ssm" {
 
   policy = templatefile("${path.module}/policies/lambda-ssm.json", {
     github_app_webhook_secret_arn = var.github_app_parameters.webhook_secret.arn,
-    kms_key_arn                   = var.kms_key_arn != null ? var.kms_key_arn : ""
   })
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,16 @@`
`5`	`5`	`"Effect": "Allow",`
`6`	`6`	`"Action": ["sqs:SendMessage", "sqs:GetQueueAttributes"],`
`7`	`7`	`"Resource": ${sqs_resource_arns}`
	`8`	`+ %{ if kms_key_arn != "" ~}`
	`9`	`+ },`
	`10`	`+ {`
	`11`	`+ "Effect": "Allow",`
	`12`	`+ "Action": [`
	`13`	`+ "kms:Decrypt",`
	`14`	`+ "kms:GenerateDataKey"`
	`15`	`+ ],`
	`16`	`+ "Resource": "${kms_key_arn}"`
	`17`	`+ %{ endif ~}`
`8`	`18`	`}`
`9`	`19`	`]`
`10`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@ resource "aws_iam_role_policy" "webhook_sqs" {`
`88`	`88`
`89`	`89`	`policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {`
`90`	`90`	`sqs_resource_arns = jsonencode([for k, v in var.runner_config : v.arn])`
	`91`	`+ kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : ""`
`91`	`92`	`})`
`92`	`93`	`}`
`93`	`94`
`@@ -98,6 +99,7 @@ resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {`
`98`	`99`
`99`	`100`	`policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {`
`100`	`101`	`sqs_resource_arns = jsonencode([var.sqs_workflow_job_queue.arn])`
	`102`	`+ kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : ""`
`101`	`103`	`})`
`102`	`104`	`}`
`103`	`105`
`@@ -107,6 +109,5 @@ resource "aws_iam_role_policy" "webhook_ssm" {`
`107`	`109`
`108`	`110`	`policy = templatefile("${path.module}/policies/lambda-ssm.json", {`
`109`	`111`	`github_app_webhook_secret_arn = var.github_app_parameters.webhook_secret.arn,`
`110`		`- kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : ""`
`111`	`112`	`})`
`112`	`113`	`}`