From 7c79167648efc67b1eafc02d475f5fbabc704d1b Mon Sep 17 00:00:00 2001 From: Zhuoyun Wei Date: Wed, 31 May 2023 14:39:41 -0700 Subject: [PATCH 1/4] fix(runners): remove duplicate VPC permissions --- modules/runners/policies/lambda-vpc.json | 14 -------------- modules/runners/scale-down.tf | 8 -------- modules/runners/scale-up.tf | 8 -------- 3 files changed, 30 deletions(-) delete mode 100644 modules/runners/policies/lambda-vpc.json diff --git a/modules/runners/policies/lambda-vpc.json b/modules/runners/policies/lambda-vpc.json deleted file mode 100644 index 241153d981..0000000000 --- a/modules/runners/policies/lambda-vpc.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DeleteNetworkInterface" - ], - "Resource": "*" - } - ] -} diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index fa10ae77ca..989bd02aab 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -104,14 +104,6 @@ resource "aws_iam_role_policy" "scale_down_logging" { }) } -resource "aws_iam_role_policy" "lambda_scale_down_vpc" { - count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0 - name = "${var.prefix}-lambda-scale-down-vpc" - role = aws_iam_role.scale_down.id - - policy = file("${path.module}/policies/lambda-vpc.json") -} - resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" { count = length(var.lambda_subnet_ids) > 0 ? 1 : 0 role = aws_iam_role.scale_down.name diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index eb5f954b3f..c95ce304cd 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -118,14 +118,6 @@ resource "aws_iam_role_policy" "service_linked_role" { policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition }) } -resource "aws_iam_role_policy" "lambda_scale_up_vpc" { - count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0 - name = "${var.prefix}-lambda-scale-up-vpc" - role = aws_iam_role.scale_up.id - - policy = file("${path.module}/policies/lambda-vpc.json") -} - resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" { count = length(var.lambda_subnet_ids) > 0 ? 1 : 0 role = aws_iam_role.scale_up.name From 50add8f8d84995a784c18b6429cf8954210933f2 Mon Sep 17 00:00:00 2001 From: Zhuoyun Wei Date: Wed, 31 May 2023 14:42:41 -0700 Subject: [PATCH 2/4] fix(syncer): remove duplicate permissions --- .../policies/lambda-vpc.json | 14 -------------- .../runner-binaries-syncer.tf | 8 -------- 2 files changed, 22 deletions(-) delete mode 100644 modules/runner-binaries-syncer/policies/lambda-vpc.json diff --git a/modules/runner-binaries-syncer/policies/lambda-vpc.json b/modules/runner-binaries-syncer/policies/lambda-vpc.json deleted file mode 100644 index 241153d981..0000000000 --- a/modules/runner-binaries-syncer/policies/lambda-vpc.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DeleteNetworkInterface" - ], - "Resource": "*" - } - ] -} diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf index fefe91b534..7226b76ebe 100644 --- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf +++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf @@ -108,14 +108,6 @@ resource "aws_iam_role_policy" "lambda_logging" { }) } -resource "aws_iam_role_policy" "lambda_syncer_vpc" { - count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0 - name = "${var.prefix}-lambda-syncer-vpc" - role = aws_iam_role.syncer_lambda.id - - policy = file("${path.module}/policies/lambda-vpc.json") -} - resource "aws_iam_role_policy" "syncer" { name = "${var.prefix}-lambda-syncer-s3-policy" role = aws_iam_role.syncer_lambda.id From 380d085f003d8dd62456342b555e86a34bf477ac Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 31 May 2023 21:44:28 +0000 Subject: [PATCH 3/4] docs: auto update terraform docs --- modules/runner-binaries-syncer/README.md | 1 - modules/runners/README.md | 2 -- 2 files changed, 3 deletions(-) diff --git a/modules/runner-binaries-syncer/README.md b/modules/runner-binaries-syncer/README.md index 15fe3e6613..adc2941937 100644 --- a/modules/runner-binaries-syncer/README.md +++ b/modules/runner-binaries-syncer/README.md @@ -63,7 +63,6 @@ No modules. | [aws_iam_role.syncer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.lambda_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy.lambda_syncer_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.syncer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.syncer_lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.syncer_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | diff --git a/modules/runners/README.md b/modules/runners/README.md index 98b042f906..0a3fdde3f2 100644 --- a/modules/runners/README.md +++ b/modules/runners/README.md @@ -87,8 +87,6 @@ yarn run dist | [aws_iam_role_policy.describe_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.dist_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy.lambda_scale_down_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_iam_role_policy.lambda_scale_up_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.runner_session_manager_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.scale_down](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.scale_down_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | From 65efde73bc085322d68c5951021d893ad97c137d Mon Sep 17 00:00:00 2001 From: Zhuoyun Wei Date: Wed, 31 May 2023 14:51:11 -0700 Subject: [PATCH 4/4] fix(pool): remove duplicate permissions --- modules/runners/pool/main.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf index 92395a0e9f..f0b3e3491d 100644 --- a/modules/runners/pool/main.tf +++ b/modules/runners/pool/main.tf @@ -94,14 +94,6 @@ resource "aws_iam_role_policy" "pool_logging" { }) } -resource "aws_iam_role_policy" "lambda_pool_vpc" { - count = length(var.config.lambda.subnet_ids) > 0 && length(var.config.lambda.security_group_ids) > 0 ? 1 : 0 - name = "${var.config.prefix}-lambda-pool-vpc" - role = aws_iam_role.pool.id - - policy = file("${path.module}/../policies/lambda-vpc.json") -} - resource "aws_iam_role_policy_attachment" "pool_vpc_execution_role" { count = length(var.config.lambda.subnet_ids) > 0 ? 1 : 0 role = aws_iam_role.pool.name