grant permision to pool lambda for fetching ami paramater

npalm · npalm · commit 9a3ec9b7654d · 2025-04-04T14:17:40.000+02:00
diff --git a/examples/default/main.tf b/examples/default/main.tf
@@ -141,6 +141,15 @@ module "runners" {
 
   # enable CMK instead of aws managed key for encryptions
   # kms_key_arn = aws_kms_key.github.arn
+
+  # pool_runner_owner = "philips-test-runners"
+  # pool_config = [{
+  #   size                         = 1
+  #   schedule_expression = "cron(0/3 14 * * ? *)" # every 3 minutes between 14:00 and 15:00
+  #   schedule_expression_timezone = "Europe/Amsterdam"
+
+  # }]
+
 }
 
 module "webhook_github_app" {
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
@@ -17,6 +17,7 @@ module "pool" {
     instance_types                = var.instance_types
     kms_key_arn                   = local.kms_key_arn
     ami_kms_key_arn               = local.ami_kms_key_arn
+    ami_id_ssm_parameter_arn      = local.ami_id_ssm_module_managed ? aws_ssm_parameter.runner_ami_id[0].arn : var.ami_id_ssm_parameter_arn
     lambda = {
       log_level                      = var.log_level
       logging_retention_in_days      = var.logging_retention_in_days
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
@@ -91,6 +91,7 @@ resource "aws_iam_role_policy" "pool" {
     github_app_key_base64_arn      = var.config.github_app_parameters.key_base64.arn
     kms_key_arn                    = var.config.kms_key_arn
     ami_kms_key_arn                = var.config.ami_kms_key_arn
+    ssm_ami_id_parameter_arn       = var.config.ami_id_ssm_parameter_arn
   })
 }
 
diff --git a/modules/runners/pool/policies/lambda-pool.json b/modules/runners/pool/policies/lambda-pool.json
@@ -39,6 +39,15 @@
             "${arn_ssm_parameters_path_config}/*"
           ]
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+              "ssm:GetParameters"
+            ],
+            "Resource": [
+                "${ssm_ami_id_parameter_arn}"
+            ]
+        },
         {
             "Effect": "Allow",
             "Action": [
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
@@ -57,6 +57,7 @@ variable "config" {
     role_permissions_boundary            = string
     kms_key_arn                          = string
     ami_kms_key_arn                      = string
+    ami_id_ssm_parameter_arn             = string
     role_path                            = string
     ssm_token_path                       = string
     ssm_config_path                      = string

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ resource "aws_iam_role_policy" "pool" {`
`91`	`91`	`github_app_key_base64_arn = var.config.github_app_parameters.key_base64.arn`
`92`	`92`	`kms_key_arn = var.config.kms_key_arn`
`93`	`93`	`ami_kms_key_arn = var.config.ami_kms_key_arn`
	`94`	`+ ssm_ami_id_parameter_arn = var.config.ami_id_ssm_parameter_arn`
`94`	`95`	`})`
`95`	`96`	`}`
`96`	`97`