fix: ensure IAM Role name length does not exceed 64 characters#4696
fix: ensure IAM Role name length does not exceed 64 characters#4696npalm merged 7 commits intogithub-aws-runners:mainfrom
Conversation
|
Worth noting that there is one caveat to this approach: if the |
When using a long enough `prefix`, the IAM Roles can exceed the maximum
length allowed by AWS.
For example:
```
│ Error: expected length of name to be in the range (1 - 64), got github-runners-prod-xxxxxxxxxxxxxx-prod-action-scale-down-lambda-role
│
│ with module.multi_runner.module.runners["xxxxxxxxxxxxxx-prod"].aws_iam_role.scale_down,
│ on .terraform/modules/multi_runner/modules/runners/scale-down.tf line 88, in resource "aws_iam_role" "scale_down":
│ 88: name = "${var.prefix}-action-scale-down-lambda-role"
```
There is nowhere to override this, so your only options are to change
the prefix for the entire module. This commit resolves this by
truncating the name to fit under the maximum length.
This primarily happens on the scale-up and scale-down Lambdas, but I've
added it everywhere for consistency.
Fixes: github-aws-runners#3973
aarongorka
force-pushed
the
fix-iam-role-name-length
branch
from
f7768eb to
2bdcd44
Compare
|
Thx for you contribution, need a bit of time to check what would be the best direction. There are many resources that have the prefix as part of the name and not only the iam roleas are bounded by 64 chars. Have a both the prefix and a name of the role is important for me, it helps to quicly understand what the role is all about. Technically we could have a prefix and a generated part. But the will make the roles less understanable in my point of view. Some for other resources. We can also shorten the role names, wich gives also more space for the prefix, which can be in the case of the multi runner long. Maybe for future improvment (breaking) is to limit to prefix lenght as well to avoid problems like this. |
I am currently deploying this branch and it was only the scale-up and scale-down roles that were failing with a name of
I also thought about something like this, maybe a resource precondition on the IAM Role resource that asserts that the IAM Role names aren't going to completely conflict, or something along those lines. Also to consider - is it a breaking change if it's not currently possible? |
|
For this PR let's stick to this improvement. However also looked some time back to pre/post condtions. I think it is not truly breaking but it drops supports for older terraform version. I prefer to keep breaking changes limited. But I see not real reason to keep supporting old terraform version ver ever. So if you are happ to prepare a change in a sperate PR to see how pre / post can help we can introdcue this in a new major release. |
|
Will do my best to check the PR in the next days. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a bug where IAM role names can exceed AWS's 64-character limit when using long prefixes, causing deployment failures. The solution truncates all IAM role names to 63 characters maximum using the substr() function.
- Applied
substr()function to limit IAM role names to 63 characters across all modules - Ensures compliance with AWS IAM role name length restrictions
- Maintains consistency by applying the fix to all IAM role resources, not just the problematic ones
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| modules/webhook/eventbridge/webhook.tf | Truncate webhook lambda role name |
| modules/webhook/eventbridge/dispatcher.tf | Truncate dispatcher lambda role name |
| modules/webhook/direct/webhook.tf | Truncate direct webhook lambda role name |
| modules/setup-iam-permissions/main.tf | Truncate terraform deployment role name |
| modules/runners/ssm-housekeeper.tf | Truncate SSM housekeeper lambda role name |
| modules/runners/scale-up.tf | Truncate scale-up lambda role name |
| modules/runners/scale-down.tf | Truncate scale-down lambda role name |
| modules/runners/pool/main.tf | Truncate pool lambda role name |
| modules/runners/policies-runner.tf | Truncate runner instance role name |
| modules/lambda/main.tf | Truncate generic lambda role name |
| modules/ami-housekeeper/main.tf | Truncate AMI housekeeper role name |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
@aarongorka thx for the PR! I took the opportunity to ensure roles are unique and did some renaming to align namging. Please let me know you think before I merge the PR. Updated IAM Roles
|
npalm
left a comment
npalm
left a comment
There was a problem hiding this comment.
Tested with the multi runner setup up
🤖 I have created a release *beep* *boop* --- ## [6.7.7](v6.7.6...v6.7.7) (2025-09-09) ### Bug Fixes * ensure IAM Role name length does not exceed 64 characters ([#4696](#4696)) ([afacbef](afacbef)) @aarongorka * **lambda:** bump the aws group in /lambdas with 6 updates ([#4750](#4750)) ([094d539](094d539)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>
|
This should have been considered a breaking change since it suddenly changed the IAM role names for existing environments. I'm having to update a lot of trust policies now. |
|
I also consider this is a breaking change. Changing IAM role names means deleting and recreating them. |
|
It was surprising to see such a change in a minor release. I agree with previous comments that this should be labeled as a breaking change. This is disappointing. |
…b-aws-runners#4696) When using a long enough `prefix`, the IAM Roles can exceed the maximum length allowed by AWS. For example: ``` │ Error: expected length of name to be in the range (1 - 64), got github-runners-prod-xxxxxxxxxxxxxx-prod-action-scale-down-lambda-role │ │ with module.multi_runner.module.runners["xxxxxxxxxxxxxx-prod"].aws_iam_role.scale_down, │ on .terraform/modules/multi_runner/modules/runners/scale-down.tf line 88, in resource "aws_iam_role" "scale_down": │ 88: name = "${var.prefix}-action-scale-down-lambda-role" ``` There is nowhere to override this, so your only options are to change the prefix for the entire module. This commit resolves this by truncating the name to fit under the maximum length. This primarily happens on the scale-up and scale-down Lambdas, but I've added it everywhere for consistency. Fixes: github-aws-runners#3973 --------- Co-authored-by: Niek Palm <npalm@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Niek Palm <niek.palm@philips.com>
🤖 I have created a release *beep* *boop* --- ## [6.7.7](github-aws-runners/terraform-aws-github-runner@v6.7.6...v6.7.7) (2025-09-09) ### Bug Fixes * ensure IAM Role name length does not exceed 64 characters ([github-aws-runners#4696](github-aws-runners#4696)) ([afacbef](github-aws-runners@afacbef)) @aarongorka * **lambda:** bump the aws group in /lambdas with 6 updates ([github-aws-runners#4750](github-aws-runners#4750)) ([094d539](github-aws-runners@094d539)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>
When using a long enough
prefix, the IAM Roles can exceed the maximum length allowed by AWS.For example:
There is nowhere to override this, so your only options are to change the prefix for the entire module. This commit resolves this by truncating the name to fit under the maximum length.
This primarily happens on the scale-up and scale-down Lambdas, but I've added it everywhere for consistency.
Fixes: #3973