Move Lambda Vars to Parameter Store

README.md

@@ -50,7 +50,7 @@ Scaling down the runners is at the moment brute-forced, every configurable amoun
 
 Downloading the GitHub Action Runner distribution can be occasionally slow (more than 10 minutes). Therefore a lambda is introduced that synchronizes the action runner binary from GitHub to an S3 bucket. The EC2 instance will fetch the distribution from the S3 bucket instead of the internet.
 
-Secrets and private keys which are passed to the lambdas as environment variables are encrypted by default by a KMS key managed by the module. Alternatively you can pass your own KMS key. Encryption via KMS can be complete disabled by setting `encrypt_secrets` to `false`.
+Secrets and private keys are stored in SSM Parameter Store. These values are encrypted using the default KMS key for SSM or passing in a custom KMS key.
 
 ![Architecture](docs/component-overview.svg)
 
@@ -325,6 +325,7 @@ No requirements.
 |------|--------|---------|
 | runner_binaries | ./modules/runner-binaries-syncer |  |
 | runners | ./modules/runners |  |
+| ssm | ./modules/ssm |  |
 | webhook | ./modules/webhook |  |
 
 ## Resources
@@ -334,7 +335,6 @@ No requirements.
 | [aws_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) |
 | [aws_resourcegroups_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) |
 | [aws_sqs_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) |
-| [aws_ssm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) |
 | [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) |
 
 ## Inputs
@@ -405,6 +405,7 @@ No requirements.
 |------|-------------|
 | binaries\_syncer | n/a |
 | runners | n/a |
+| ssm\_parameters | n/a |
 | webhook | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

main.tf

@@ -11,10 +11,10 @@ locals {
   kms_key_arn = var.kms_key_id != null ? data.aws_kms_key.cmk[0].arn : null
 
   github_app_parameters = {
-    client_id_arn     = aws_ssm_parameter.github_app_client_id.arn
-    client_secret_arn = aws_ssm_parameter.github_app_client_secret.arn
-    id_arn            = aws_ssm_parameter.github_app_id.arn
-    key_base64_arn    = aws_ssm_parameter.github_app_key_base64.arn
+    client_id     = module.ssm.parameters.github_app_client_id
+    client_secret = module.ssm.parameters.github_app_client_secret
+    id            = module.ssm.parameters.github_app_id
+    key_base64    = module.ssm.parameters.github_app_key_base64
   }
 }
 
@@ -35,6 +35,15 @@ resource "aws_sqs_queue" "queued_builds" {
   tags = var.tags
 }
 
+module "ssm" {
+  source = "./modules/ssm"
+
+  kms_key_arn = local.kms_key_arn
+  environment = var.environment
+  github_app  = var.github_app
+  tags        = local.tags
+}
+
 module "webhook" {
   source = "./modules/webhook"
 
@@ -44,7 +53,7 @@ module "webhook" {
   kms_key_arn = local.kms_key_arn
 
   sqs_build_queue               = aws_sqs_queue.queued_builds
-  github_app_webhook_secret_arn = aws_ssm_parameter.github_app_webhook_secret.arn
+  github_app_webhook_secret_arn = module.ssm.parameters.github_app_webhook_secret.arn
 
   lambda_s3_bucket                 = var.lambda_s3_bucket
   webhook_lambda_s3_key            = var.webhook_lambda_s3_key

modules/runners/README.md

@@ -98,7 +98,7 @@ No Modules.
 | enable\_ssm\_on\_runners | Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances. | `bool` | n/a | yes |
 | environment | A name that identifies the environment, used as prefix and for tagging. | `string` | n/a | yes |
 | ghes\_url | GitHub Enterprise Server URL. DO NOT SET IF USING PUBLIC GITHUB | `string` | `null` | no |
-| github\_app\_parameters | Parameter Store ARNs for GitHub App Parameters. | <pre>object({<br>    key_base64_arn    = string<br>    id_arn            = string<br>    client_id_arn     = string<br>    client_secret_arn = string<br>  })</pre> | n/a | yes |
+| github\_app\_parameters | Parameter Store for GitHub App Parameters. | <pre>object({<br>    key_base64    = map(string)<br>    id            = map(string)<br>    client_id     = map(string)<br>    client_secret = map(string)<br>  })</pre> | n/a | yes |
 | idle\_config | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | <pre>list(object({<br>    cron      = string<br>    timeZone  = string<br>    idleCount = number<br>  }))</pre> | `[]` | no |
 | instance\_profile\_path | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no |
 | instance\_type | [DEPRECATED] See instance\_types. | `string` | `"m5.large"` | no |

modules/runners/lambdas/runners/package.json

@@ -18,18 +18,18 @@
   "devDependencies": {
     "@types/aws-lambda": "^8.10.75",
     "@types/express": "^4.17.11",
-    "@types/jest": "^26.0.20",
+    "@types/jest": "^26.0.24",
     "@typescript-eslint/eslint-plugin": "^4.17.0",
     "@typescript-eslint/parser": "^4.22.0",
     "@vercel/ncc": "^0.29.0",
     "eslint": "^7.22.0",
     "eslint-plugin-prettier": "3.4.0",
-    "jest": "^26.6.3",
+    "jest": "27.0.6",
     "jest-mock-extended": "^1.0.13",
     "moment-timezone": "^0.5.33",
     "nock": "^13.0.11",
-    "prettier": "2.3.1",
-    "ts-jest": "^26.5.5",
+    "prettier": "2.3.2",
+    "ts-jest": "^27.0.4",
     "ts-node": "^10.1.0",
     "ts-node-dev": "^1.1.6"
   },
@@ -40,7 +40,7 @@
     "@octokit/types": "^6.13.0",
     "@types/aws-lambda": "^8.10.75",
     "@types/express": "^4.17.11",
-    "@types/node": "^15.12.2",
+    "@types/node": "^16.4.3",
     "aws-sdk": "^2.888.0",
     "cron-parser": "^3.3.0",
     "typescript": "^4.2.3",

modules/runners/lambdas/runners/src/lambda.ts

@@ -2,8 +2,7 @@ import { scaleUp as scaleUpAction } from './scale-runners/scale-up';
 import { scaleDown as scaleDownAction } from './scale-runners/scale-down';
 import { SQSEvent, ScheduledEvent, Context } from 'aws-lambda';
 
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-module.exports.scaleUp = async (event: SQSEvent, context: Context, callback: any) => {
+export const scaleUp = async (event: SQSEvent, context: Context, callback: any): Promise<void> => {
   console.dir(event, { depth: 5 });
   try {
     for (const e of event.Records) {
@@ -17,8 +16,7 @@ module.exports.scaleUp = async (event: SQSEvent, context: Context, callback: any
   }
 };
 
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-module.exports.scaleDown = async (event: ScheduledEvent, context: Context, callback: any) => {
+export const scaleDown = async (event: ScheduledEvent, context: Context, callback: any): Promise<void> => {
   try {
     scaleDownAction();
     callback(null);

modules/runners/lambdas/runners/src/local-down.ts

@@ -0,0 +1,8 @@
+import { scaleDown } from './scale-runners/scale-down';
+
+
+export function run(): void {
+    scaleDown();
+}
+
+run();

modules/runners/lambdas/runners/src/local.ts

@@ -0,0 +1,32 @@
+import { scaleUp } from './scale-runners/scale-up';
+
+const sqsEvent = {
+    Records: [
+        {
+            messageId: 'e8d74d08-644e-42ca-bf82-a67daa6c4dad',
+            // eslint-disable-next-line max-len
+            receiptHandle: 'AQEBCpLYzDEKq4aKSJyFQCkJduSKZef8SJVOperbYyNhXqqnpFG5k74WygVAJ4O0+9nybRyeOFThvITOaS21/jeHiI5fgaM9YKuI0oGYeWCIzPQsluW5CMDmtvqv1aA8sXQ5n2x0L9MJkzgdIHTC3YWBFLQ2AxSveOyIHwW+cHLIFCAcZlOaaf0YtaLfGHGkAC4IfycmaijV8NSlzYgDuxrC9sIsWJ0bSvk5iT4ru/R4+0cjm7qZtGlc04k9xk5Fu6A+wRxMaIyiFRY+Ya19ykcevQldidmEjEWvN6CRToLgclk=',
+            // eslint-disable-next-line max-len
+            body: { "id": 19072, "repositoryName": "ErrBud", "repositoryOwner": "ActionsTest", "eventType": "check_run", "installationId": 5 },
+            attributes: {
+                ApproximateReceiveCount: '1',
+                SentTimestamp: '1626450047230',
+                SequenceNumber: '18863115285800432640',
+                MessageGroupId: '19072',
+                SenderId: 'AROA5KW7SQ6TTB3PW6WPH:cicddev-webhook',
+                MessageDeduplicationId: '0c458eeb87b7f6d2607301268fd3bf33dd898a49ebd888754ff7db510c4bff1e',
+                ApproximateFirstReceiveTimestamp: '1626450077251'
+            },
+            messageAttributes: {},
+            md5OfBody: '4aef3bd70526e152e86426a0938cbec6',
+            eventSource: 'aws:sqs',
+            eventSourceARN: 'arn:aws:sqs:us-west-2:916370655143:cicddev-queued-builds.fifo',
+            awsRegion: 'us-west-2'
+        }
+    ]
+};
+export function run(): void {
+    scaleUp(sqsEvent.Records[0].eventSource, sqsEvent.Records[0].body);
+}
+
+run();

modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts

@@ -16,11 +16,22 @@ const ENVIRONMENT = 'dev';
 const GITHUB_APP_ID = '1';
 const GITHUB_APP_CLIENT_ID = '1';
 const GITHUB_APP_CLIENT_SECRET = 'client_secret';
+const PARAMETER_GITHUB_APP_ID_NAME = `/actions-runner/${ENVIRONMENT}/github_app_id`;
+const PARAMETER_GITHUB_APP_KEY_BASE64_NAME = `/actions-runner/${ENVIRONMENT}/github_app_key_base64`;
+const PARAMETER_GITHUB_APP_CLIENT_ID_NAME = `/actions-runner/${ENVIRONMENT}/github_app_client_id`;
+const PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = `/actions-runner/${ENVIRONMENT}/github_app_client_secret`;
+
+const mockedGet = mocked(getParameterValue);
+
 
 beforeEach(() => {
   jest.resetModules();
   jest.clearAllMocks();
   process.env = { ...cleanEnv };
+  process.env.PARAMETER_GITHUB_APP_ID_NAME = PARAMETER_GITHUB_APP_ID_NAME;
+  process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME = PARAMETER_GITHUB_APP_KEY_BASE64_NAME;
+  process.env.PARAMETER_GITHUB_APP_CLIENT_ID_NAME = PARAMETER_GITHUB_APP_CLIENT_ID_NAME;
+  process.env.PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME = PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME;
   nock.disableNetConnect();
 });
 
@@ -74,13 +85,12 @@ describe('Test createGithubAuth', () => {
       clientId: GITHUB_APP_CLIENT_ID,
       clientSecret: GITHUB_APP_CLIENT_SECRET,
     };
-
-    const mockedGet = mocked(getParameterValue);
     mockedGet
       .mockResolvedValueOnce(GITHUB_APP_ID)
       .mockResolvedValueOnce(b64)
       .mockResolvedValueOnce(GITHUB_APP_CLIENT_ID)
       .mockResolvedValueOnce(GITHUB_APP_CLIENT_SECRET);
+
     const mockedAuth = jest.fn();
     mockedAuth.mockResolvedValue({ token });
     // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -92,10 +102,10 @@ describe('Test createGithubAuth', () => {
     const result = await createGithubAuth(installationId, authType);
 
     // Assert
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_id');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_key_base64');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_id');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_secret');
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME);
 
     expect(mockedCreatAppAuth).toBeCalledTimes(1);
     expect(mockedCreatAppAuth).toBeCalledWith(authOptions);
@@ -121,7 +131,6 @@ describe('Test createGithubAuth', () => {
       request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }),
     };
 
-    const mockedGet = mocked(getParameterValue);
     mockedGet
       .mockResolvedValueOnce(GITHUB_APP_ID)
       .mockResolvedValueOnce(b64)
@@ -138,10 +147,10 @@ describe('Test createGithubAuth', () => {
     const result = await createGithubAuth(installationId, authType, githubServerUrl);
 
     // Assert
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_id');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_key_base64');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_id');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_secret');
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME);
 
     expect(mockedCreatAppAuth).toBeCalledTimes(1);
     expect(mockedCreatAppAuth).toBeCalledWith(authOptions);
@@ -168,7 +177,6 @@ describe('Test createGithubAuth', () => {
       request: mockedRequestInterface.defaults({ baseUrl: githubServerUrl }),
     };
 
-    const mockedGet = mocked(getParameterValue);
     mockedGet
       .mockResolvedValueOnce(GITHUB_APP_ID)
       .mockResolvedValueOnce(b64)
@@ -185,10 +193,10 @@ describe('Test createGithubAuth', () => {
     const result = await createGithubAuth(installationId, authType, githubServerUrl);
 
     // Assert
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_id');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_key_base64');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_id');
-    expect(getParameterValue).toBeCalledWith(ENVIRONMENT, 'github_app_client_secret');
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_ID_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_KEY_BASE64_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_ID_NAME);
+    expect(getParameterValue).toBeCalledWith(PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME);
 
     expect(mockedCreatAppAuth).toBeCalledTimes(1);
     expect(mockedCreatAppAuth).toBeCalledWith(authOptions);

modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts

@@ -21,13 +21,15 @@ export async function createGithubAuth(
   authType: 'app' | 'installation',
   ghesApiUrl = '',
 ): Promise<AppAuthentication> {
-  const environment = process.env.ENVIRONMENT as string;
 
   let authOptions: StrategyOptions = {
-    appId: parseInt(await getParameterValue(environment, 'github_app_id')),
-    privateKey: Buffer.from(await getParameterValue(environment, 'github_app_key_base64'), 'base64').toString(),
-    clientId: await getParameterValue(environment, 'github_app_client_id'),
-    clientSecret: await getParameterValue(environment, 'github_app_client_secret'),
+    appId: parseInt(await getParameterValue(process.env.PARAMETER_GITHUB_APP_ID_NAME)),
+    privateKey: Buffer.from(
+      await getParameterValue(process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME),
+      'base64')
+      .toString(),
+    clientId: await getParameterValue(process.env.PARAMETER_GITHUB_APP_CLIENT_ID_NAME),
+    clientSecret: await getParameterValue(process.env.PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME),
   };
   if (installationId) authOptions = { ...authOptions, installationId };
 

modules/runners/lambdas/runners/src/scale-runners/modules.d.ts

@@ -0,0 +1,15 @@
+declare namespace NodeJS {
+    export interface ProcessEnv {
+        ENVIRONMENT: string
+        SUBNET_IDS: string
+        GHES_URL: string
+        SCALE_DOWN_CONFIG: string
+        MINIMUM_RUNNING_TIME_IN_MINUTES: string
+        LAUNCH_TEMPLATE_NAME: string
+        AWS_REGION: string
+        PARAMETER_GITHUB_APP_CLIENT_ID_NAME: string
+        PARAMETER_GITHUB_APP_CLIENT_SECRET_NAME: string
+        PARAMETER_GITHUB_APP_ID_NAME: string
+        PARAMETER_GITHUB_APP_KEY_BASE64_NAME: string
+    }
+}

modules/runners/lambdas/runners/src/scale-runners/runners.ts

@@ -110,6 +110,6 @@ function getInstanceParams(
 }
 
 function getSubnet(): string {
-  const subnets = (process.env.SUBNET_IDS as string).split(',');
+  const subnets = (process.env.SUBNET_IDS).split(',');
   return subnets[Math.floor(Math.random() * subnets.length)];
 }