fix: ensure IAM Role name length does not exceed 64 characters

When using a long enough `prefix`, the IAM Roles can exceed the maximum
length allowed by AWS.

For example:

```
│ Error: expected length of name to be in the range (1 - 64), got github-runners-prod-xxxxxxxxxxxxxx-prod-action-scale-down-lambda-role
│
│   with module.multi_runner.module.runners["xxxxxxxxxxxxxx-prod"].aws_iam_role.scale_down,
│   on .terraform/modules/multi_runner/modules/runners/scale-down.tf line 88, in resource "aws_iam_role" "scale_down":
│   88:   name                 = "${var.prefix}-action-scale-down-lambda-role"
```

There is nowhere to override this, so your only options are to change
the prefix for the entire module. This commit resolves this by
truncating the name to fit under the maximum length.

This primarily happens on the scale-up and scale-down Lambdas, but I've
added it everywhere for consistency.

Fixes: #3973

Author: aarongorka

modules/ami-housekeeper/main.tf

@@ -55,7 +55,7 @@ resource "aws_cloudwatch_log_group" "ami_housekeeper" {
 }
 
 resource "aws_iam_role" "ami_housekeeper" {
-  name                 = "${var.prefix}-ami-housekeeper-role"
+  name                 = substr("${var.prefix}-ami-housekeeper-role", 0, 63)
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary

modules/lambda/main.tf

@@ -60,7 +60,7 @@ resource "aws_cloudwatch_log_group" "main" {
 }
 
 resource "aws_iam_role" "main" {
-  name                 = "${var.lambda.prefix}-${var.lambda.name}"
+  name                 = substr("${var.lambda.prefix}-${var.lambda.name}", 0, 63)
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.lambda.role_permissions_boundary

modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -58,7 +58,7 @@ resource "aws_lambda_function" "syncer" {
 
 resource "aws_iam_role_policy" "lambda_kms" {
   count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.kms_master_key_id, null) != null ? 1 : 0
-  name  = "${var.prefix}-lambda-kms-policy-syncer"
+  name  = substr("${var.prefix}-lambda-kms-policy-syncer", 0, 63)
   role  = aws_iam_role.syncer_lambda.id
 
   policy = templatefile("${path.module}/policies/lambda-kms.json", {

modules/runners/policies-runner.tf

@@ -1,7 +1,7 @@
 data "aws_caller_identity" "current" {}
 
 resource "aws_iam_role" "runner" {
-  name                 = "${var.prefix}-runner-role"
+  name                 = substr("${var.prefix}-runner-role", 0, 63)
   assume_role_policy   = templatefile("${path.module}/policies/instance-role-trust-policy.json", {})
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary

modules/runners/pool/main.tf

@@ -74,7 +74,7 @@ resource "aws_cloudwatch_log_group" "pool" {
 }
 
 resource "aws_iam_role" "pool" {
-  name                 = "${var.config.prefix}-action-pool-lambda-role"
+  name                 = substr("${var.config.prefix}-action-pool-lambda-role", 0, 63)
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = var.config.role_path
   permissions_boundary = var.config.role_permissions_boundary

modules/runners/scale-down.tf

@@ -85,7 +85,7 @@ resource "aws_lambda_permission" "scale_down" {
 }
 
 resource "aws_iam_role" "scale_down" {
-  name                 = "${var.prefix}-action-scale-down-lambda-role"
+  name                 = substr("${var.prefix}-action-scale-down-lambda-role", 0, 63)
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary

modules/runners/scale-up.tf

@@ -101,7 +101,7 @@ resource "aws_lambda_permission" "scale_runners_lambda" {
 }
 
 resource "aws_iam_role" "scale_up" {
-  name                 = "${var.prefix}-action-scale-up-lambda-role"
+  name                 = substr("${var.prefix}-action-scale-up-lambda-role", 0, 63)
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path
   permissions_boundary = var.role_permissions_boundary

modules/runners/ssm-housekeeper.tf

@@ -83,7 +83,7 @@ resource "aws_lambda_permission" "ssm_housekeeper" {
 }
 
 resource "aws_iam_role" "ssm_housekeeper" {
-  name                 = "${var.prefix}-ssm-hk-lambda"
+  name                 = substr("${var.prefix}-ssm-hk-lambda", 0, 63)
   description          = "Lambda role for SSM Housekeeper (${var.prefix})"
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = local.role_path

modules/setup-iam-permissions/main.tf

@@ -1,7 +1,7 @@
 data "aws_caller_identity" "current" {}
 
 resource "aws_iam_role" "deploy" {
-  name = "${var.prefix}-terraform"
+  name = substr("${var.prefix}-terraform", 0, 63)
 
   permissions_boundary = aws_iam_policy.deploy_boundary.arn
   assume_role_policy = templatefile("${path.module}/policies/assume-role-for-account.json", {

modules/webhook/direct/webhook.tf

@@ -90,7 +90,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
 }
 
 resource "aws_iam_role" "webhook_lambda" {
-  name                 = "${var.config.prefix}-direct-webhook-lambda-role"
+  name                 = substr("${var.config.prefix}-direct-webhook-lambda-role", 0, 63)
   assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
   path                 = var.config.role_path
   permissions_boundary = var.config.role_permissions_boundary