Skip to content

feat: support centralised webhook proxy in multi-account deployments #5122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Safouak wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: support centralised webhook proxy in multi-account deployments #5122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,16 @@ data "aws_iam_policy_document" "deny_insecure_transport" {
}
}

data "aws_iam_policy_document" "build_queue_policy" {
source_policy_documents = compact([
data.aws_iam_policy_document.deny_insecure_transport.json,
var.sqs_build_queue_extra_policy_json,
])
}

resource "aws_sqs_queue_policy" "build_queue_policy" {
queue_url = aws_sqs_queue.queued_builds.id
policy = data.aws_iam_policy_document.deny_insecure_transport.json
policy = data.aws_iam_policy_document.build_queue_policy.json
}

resource "aws_sqs_queue" "queued_builds" {
Expand Down Expand Up @@ -97,6 +104,7 @@ module "ssm" {

module "webhook" {
source = "./modules/webhook"
count = var.create_webhook_module ? 1 : 0

ssm_paths = {
root = local.ssm_root_path
Expand Down
30 changes: 20 additions & 10 deletions modules/multi-runner/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,16 @@ output "binaries_syncer_map" {
}

output "webhook" {
value = {
gateway = module.webhook.gateway
lambda = module.webhook.lambda
lambda_log_group = module.webhook.lambda_log_group
lambda_role = module.webhook.role
endpoint = "${module.webhook.gateway.api_endpoint}/${module.webhook.endpoint_relative_path}"
webhook = module.webhook.webhook
dispatcher = var.eventbridge.enable ? module.webhook.dispatcher : null
eventbridge = var.eventbridge.enable ? module.webhook.eventbridge : null
}
value = var.create_webhook_module ? {
gateway = module.webhook[0].gateway
lambda = module.webhook[0].lambda
lambda_log_group = module.webhook[0].lambda_log_group
lambda_role = module.webhook[0].role
endpoint = "${module.webhook[0].gateway.api_endpoint}/${module.webhook[0].endpoint_relative_path}"
webhook = module.webhook[0].webhook
dispatcher = var.eventbridge.enable ? module.webhook[0].dispatcher : null
eventbridge = var.eventbridge.enable ? module.webhook[0].eventbridge : null
} : null
}

output "ssm_parameters" {
Expand All @@ -67,3 +67,13 @@ output "instance_termination_handler" {
lambda_role = module.instance_termination_watcher[0].spot_termination_handler.lambda_role
} : null
}

output "queues" {
description = "SQS build queues per runner type."
value = {
for key in keys(var.multi_runner_config) : key => {
build_queue_arn = aws_sqs_queue.queued_builds[key].arn
build_queue_url = aws_sqs_queue.queued_builds[key].url
}
}
}
11 changes: 10 additions & 1 deletion modules/multi-runner/queues.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,19 @@ resource "aws_sqs_queue" "queued_builds" {
tags = var.tags
}

data "aws_iam_policy_document" "build_queue_policy" {
for_each = var.multi_runner_config

source_policy_documents = compact([
data.aws_iam_policy_document.deny_insecure_transport.json,
var.sqs_build_queue_extra_policy_json,
])
}

resource "aws_sqs_queue_policy" "build_queue_policy" {
for_each = var.multi_runner_config
queue_url = aws_sqs_queue.queued_builds[each.key].id
policy = data.aws_iam_policy_document.deny_insecure_transport.json
policy = data.aws_iam_policy_document.build_queue_policy[each.key].json
}

resource "aws_sqs_queue" "queued_builds_dlq" {
Expand Down
12 changes: 12 additions & 0 deletions modules/multi-runner/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -770,3 +770,15 @@ variable "parameter_store_tags" {
type = map(string)
default = {}
}

variable "sqs_build_queue_extra_policy_json" {
description = "Optional additional SQS policy statements (JSON) merged into the build queue policy for all runner types. Useful for cross-account access, e.g. allowing an SNS topic from another account to send messages."
type = string
default = null
}

variable "create_webhook_module" {
description = "Set to false to skip deploying the webhook Lambda and API Gateway. Use when webhook delivery is handled externally (e.g. a centralised proxy in another account)."
type = bool
default = true
}
1 change: 1 addition & 0 deletions modules/multi-runner/webhook.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
module "webhook" {
source = "../webhook"
count = var.create_webhook_module ? 1 : 0
prefix = var.prefix
tags = local.tags
kms_key_arn = var.kms_key_arn
Expand Down
21 changes: 11 additions & 10 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,16 @@ output "binaries_syncer" {
}

output "webhook" {
value = {
gateway = module.webhook.gateway
lambda = module.webhook.lambda
lambda_log_group = module.webhook.lambda_log_group
lambda_role = module.webhook.role
endpoint = "${module.webhook.gateway.api_endpoint}/${module.webhook.endpoint_relative_path}"
webhook = module.webhook.webhook
dispatcher = var.eventbridge.enable ? module.webhook.dispatcher : null
eventbridge = var.eventbridge.enable ? module.webhook.eventbridge : null
}
value = var.create_webhook_module ? {
gateway = module.webhook[0].gateway
lambda = module.webhook[0].lambda
lambda_log_group = module.webhook[0].lambda_log_group
lambda_role = module.webhook[0].role
endpoint = "${module.webhook[0].gateway.api_endpoint}/${module.webhook[0].endpoint_relative_path}"
webhook = module.webhook[0].webhook
dispatcher = var.eventbridge.enable ? module.webhook[0].dispatcher : null
eventbridge = var.eventbridge.enable ? module.webhook[0].eventbridge : null
} : null
}

output "ssm_parameters" {
Expand All @@ -56,6 +56,7 @@ output "queues" {
description = "SQS queues."
value = {
build_queue_arn = aws_sqs_queue.queued_builds.arn
build_queue_url = aws_sqs_queue.queued_builds.url
build_queue_dlq_arn = var.redrive_build_queue.enabled ? aws_sqs_queue.queued_builds_dlq[0].arn : null
}
}
Expand Down
12 changes: 12 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,18 @@ variable "aws_region" {
type = string
}

variable "sqs_build_queue_extra_policy_json" {
description = "Optional additional SQS policy statements (JSON) merged into the build queue policy. Useful for cross-account access, e.g. allowing an SNS topic from another account to send messages."
type = string
default = null
}

variable "create_webhook_module" {
description = "Set to false to skip deploying the webhook Lambda and API Gateway. Use when webhook delivery is handled externally (e.g. a centralised proxy in another account)."
type = bool
default = true
}

variable "vpc_id" {
description = "The VPC for security groups of the action runners."
type = string
Expand Down