From beea51d804a1ee4d8e5d1bcbedc438e0a940db11 Mon Sep 17 00:00:00 2001
From: Kqirk <76428411+Kqirk@users.noreply.github.com>
Date: Mon, 22 Jul 2024 16:32:03 +0800
Subject: [PATCH] fix: remove leading `/` from SSM parameter names in policy
 ARNs (#1146)

## Description

Using SSM parameter hierarchies (as described in
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-hierarchies.html)
results in an error. See #1128

Several workarounds exist, but using `trimprefix` makes them
superfluous. Having a `/` as first character results in the above
mentioned error.

## Verification

Checked the ARN of parameter `/test/test`. It showed up as
`arn:aws:ssm:eu-central-1:123456789012:parameter/test/test` in the
console. So no `//` at first place.

---------

Co-authored-by: kirkchong <kirk_ang_from.tp@tech.gov.sg>
Co-authored-by: Matthias Kay <matthias.kay@hlag.com>
Co-authored-by: Matthias Kay <github@matthiaskay.de>
---
 .cspell.json | 1 +
 main.tf      | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.cspell.json b/.cspell.json
index 21f9c4ab..b071e186 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -55,6 +55,7 @@
     "tfvars",
     "tmpfs",
     "tonumber",
+    "trimprefix",
     "trivy",
     "userns",
     "xanzy",
diff --git a/main.tf b/main.tf
index 601ef0e2..f6b9c9f1 100644
--- a/main.tf
+++ b/main.tf
@@ -615,14 +615,14 @@ data "aws_iam_policy_document" "ssm" {
           var.runner_gitlab.preregistered_runner_token_ssm_parameter_name,
           aws_ssm_parameter.runner_registration_token.name
         ]
-      ) : "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${name}"
+      ) : "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${trimprefix(name, "/")}"
     ]
   }
 
   statement {
     actions = ["ssm:PutParameter"]
     resources = [
-      "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${aws_ssm_parameter.runner_registration_token.name}"
+      "arn:${data.aws_partition.current.partition}:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${trimprefix(aws_ssm_parameter.runner_registration_token.name, "/")}"
     ]
   }
 }