From 362bb1e41f9d2f143b3543d24cc95f06c6423a8f Mon Sep 17 00:00:00 2001
From: Niek Palm <niek.palm@philips.com>
Date: Thu, 31 Oct 2024 13:00:51 +0100
Subject: [PATCH 1/5] fix(webhook0: add missing permission to workflow job
 quque for dispatcher (eventbridge)

---
 modules/webhook/eventbridge/dispatcher.tf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf
index 19016091e3..92daa253d3 100644
--- a/modules/webhook/eventbridge/dispatcher.tf
+++ b/modules/webhook/eventbridge/dispatcher.tf
@@ -143,3 +143,13 @@ resource "aws_iam_role_policy" "dispatcher_xray" {
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.dispatcher_lambda.name
 }
+
+resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
+  count = var.config.sqs_workflow_job_queue != null ? 1 : 0
+  name  = "publish-workflow-job-sqs-policy"
+  role  = aws_iam_role.webhook_lambda.name
+
+  policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
+    sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn])
+  })
+}

From bc3818ee61a46558f991870a199b422c6847f078 Mon Sep 17 00:00:00 2001
From: philips-labs-pr|bot <philips-labs-pr[bot]@users.noreply.github.com>
Date: Thu, 31 Oct 2024 12:01:23 +0000
Subject: [PATCH 2/5] docs: auto update terraform docs

---
 modules/webhook/eventbridge/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/webhook/eventbridge/README.md b/modules/webhook/eventbridge/README.md
index c47a8863ae..828679a1bc 100644
--- a/modules/webhook/eventbridge/README.md
+++ b/modules/webhook/eventbridge/README.md
@@ -39,6 +39,7 @@ No modules.
 | [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.webhook_workflow_job_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.dispatcher_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.webhook_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

From 732292e815790bbb3a6cfd89a252a6764954a338 Mon Sep 17 00:00:00 2001
From: Niek Palm <niek.palm@philips.com>
Date: Thu, 31 Oct 2024 13:12:00 +0100
Subject: [PATCH 3/5] fix: permission dispatcher for workflow job queueu

---
 examples/default/main.tf                  | 5 +++++
 modules/webhook/eventbridge/dispatcher.tf | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/examples/default/main.tf b/examples/default/main.tf
index 873786683b..bf350fd276 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -26,6 +26,11 @@ module "runners" {
     Project = "ProjectX"
   }
 
+  eventbridge = {
+    enable = true
+  }
+  enable_workflow_job_events_queue = true
+
   github_app = {
     key_base64     = var.github_app.key_base64
     id             = var.github_app.id
diff --git a/modules/webhook/eventbridge/dispatcher.tf b/modules/webhook/eventbridge/dispatcher.tf
index 92daa253d3..549d4c2a55 100644
--- a/modules/webhook/eventbridge/dispatcher.tf
+++ b/modules/webhook/eventbridge/dispatcher.tf
@@ -144,10 +144,10 @@ resource "aws_iam_role_policy" "dispatcher_xray" {
   role   = aws_iam_role.dispatcher_lambda.name
 }
 
-resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
+resource "aws_iam_role_policy" "dispatcher_workflow_job_sqs" {
   count = var.config.sqs_workflow_job_queue != null ? 1 : 0
   name  = "publish-workflow-job-sqs-policy"
-  role  = aws_iam_role.webhook_lambda.name
+  role  = aws_iam_role.dispatcher_lambda.name
 
   policy = templatefile("${path.module}/../policies/lambda-publish-sqs-policy.json", {
     sqs_resource_arns = jsonencode([var.config.sqs_workflow_job_queue.arn])

From b7a7e19fa84c693798a5b197ab4439004dfdc55f Mon Sep 17 00:00:00 2001
From: philips-labs-pr|bot <philips-labs-pr[bot]@users.noreply.github.com>
Date: Thu, 31 Oct 2024 12:12:48 +0000
Subject: [PATCH 4/5] docs: auto update terraform docs

---
 modules/webhook/eventbridge/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/webhook/eventbridge/README.md b/modules/webhook/eventbridge/README.md
index 828679a1bc..74e20afb37 100644
--- a/modules/webhook/eventbridge/README.md
+++ b/modules/webhook/eventbridge/README.md
@@ -34,12 +34,12 @@ No modules.
 | [aws_iam_role_policy.dispatcher_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.dispatcher_workflow_job_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.dispatcher_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.webhook_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy.webhook_workflow_job_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.dispatcher_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.webhook_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

From 70216a02db36f9e1932d268ac6a4174d6bbf5b47 Mon Sep 17 00:00:00 2001
From: Niek Palm <niek.palm@philips.com>
Date: Thu, 31 Oct 2024 13:13:27 +0100
Subject: [PATCH 5/5] fix: permission dispatcher for workflow job queueu

---
 examples/default/main.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/examples/default/main.tf b/examples/default/main.tf
index bf350fd276..873786683b 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -26,11 +26,6 @@ module "runners" {
     Project = "ProjectX"
   }
 
-  eventbridge = {
-    enable = true
-  }
-  enable_workflow_job_events_queue = true
-
   github_app = {
     key_base64     = var.github_app.key_base64
     id             = var.github_app.id