feat(syncer): add option to disable runner syncer lambda trigger (#2986)

* feat: Adding option to disable lambda syncer trigger

* feat: Adding option to disable lambda syncer trigger, fixing README.md replacement

* feat: Adding option to disable lambda syncer trigger on multi-runner module

* feat: Adding option to disable lambda syncer trigger on multi-runner module, fix README.md

---------

Co-authored-by: Lucas Santos Anjos <ctw02724@L-WKF973DWJT.local>
Co-authored-by: Niek Palm <npalm@users.noreply.github.com>

README.md

@@ -457,6 +457,7 @@ We welcome any improvement to the standard module to make the default as secure
 | <a name="input_enable_cloudwatch_agent"></a> [enable\_cloudwatch\_agent](#input\_enable\_cloudwatch\_agent) | Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`. | `bool` | `true` | no |
 | <a name="input_enable_enable_fifo_build_queue"></a> [enable\_enable\_fifo\_build\_queue](#input\_enable\_enable\_fifo\_build\_queue) | DEPCRECATED: Replaced by `enable_fifo_build_queue` / `fifo_build_queue`. | `string` | `null` | no |
 | <a name="input_enable_ephemeral_runners"></a> [enable\_ephemeral\_runners](#input\_enable\_ephemeral\_runners) | Enable ephemeral runners, runners will only be used once. | `bool` | `false` | no |
+| <a name="input_enable_event_rule_binaries_syncer"></a> [enable\_event\_rule\_binaries\_syncer](#input\_enable\_event\_rule\_binaries\_syncer) | Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution | `bool` | `true` | no |
 | <a name="input_enable_fifo_build_queue"></a> [enable\_fifo\_build\_queue](#input\_enable\_fifo\_build\_queue) | Enable a FIFO queue to remain the order of events received by the webhook. Suggest to set to true for repo level runners. | `bool` | `false` | no |
 | <a name="input_enable_job_queued_check"></a> [enable\_job\_queued\_check](#input\_enable\_job\_queued\_check) | Only scale if the job event received by the scale up lambda is is in the state queued. By default enabled for non ephemeral runners and disabled for ephemeral. Set this variable to overwrite the default behavior. | `bool` | `null` | no |
 | <a name="input_enable_managed_runner_security_group"></a> [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |

main.tf

@@ -300,6 +300,7 @@ module "runner_binaries" {
   logging_retention_in_days       = var.logging_retention_in_days
   logging_kms_key_id              = var.logging_kms_key_id
 
+  enable_event_rule_binaries_syncer    = var.enable_event_rule_binaries_syncer
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
 
   role_path                 = var.role_path

modules/multi-runner/README.md

@@ -120,6 +120,7 @@ module "multi-runner" {
 | <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optiona) partition in the arn namespace to use if not 'aws' | `string` | `"aws"` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region. | `string` | n/a | yes |
 | <a name="input_cloudwatch_config"></a> [cloudwatch\_config](#input\_cloudwatch\_config) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | `string` | `null` | no |
+| <a name="input_enable_event_rule_binaries_syncer"></a> [enable\_event\_rule\_binaries\_syncer](#input\_enable\_event\_rule\_binaries\_syncer) | Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution | `bool` | `true` | no |
 | <a name="input_enable_managed_runner_security_group"></a> [enable\_managed\_runner\_security\_group](#input\_enable\_managed\_runner\_security\_group) | Enabling the default managed security group creation. Unmanaged security groups can be specified via `runner_additional_security_group_ids`. | `bool` | `true` | no |
 | <a name="input_enable_workflow_job_events_queue"></a> [enable\_workflow\_job\_events\_queue](#input\_enable\_workflow\_job\_events\_queue) | Enabling this experimental feature will create a secondory sqs queue to wich a copy of the workflow\_job event will be delivered. | `bool` | `false` | no |
 | <a name="input_ghes_ssl_verify"></a> [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |

modules/multi-runner/runner-binaries.tf

@@ -9,15 +9,16 @@ module "runner_binaries" {
   runner_os           = each.value.os_type
   runner_architecture = each.value.architecture
 
-  lambda_s3_bucket                = var.lambda_s3_bucket
-  syncer_lambda_s3_key            = var.syncer_lambda_s3_key
-  syncer_lambda_s3_object_version = var.syncer_lambda_s3_object_version
-  lambda_runtime                  = var.lambda_runtime
-  lambda_architecture             = var.lambda_architecture
-  lambda_zip                      = var.runner_binaries_syncer_lambda_zip
-  lambda_timeout                  = var.runner_binaries_syncer_lambda_timeout
-  logging_retention_in_days       = var.logging_retention_in_days
-  logging_kms_key_id              = var.logging_kms_key_id
+  lambda_s3_bucket                  = var.lambda_s3_bucket
+  syncer_lambda_s3_key              = var.syncer_lambda_s3_key
+  syncer_lambda_s3_object_version   = var.syncer_lambda_s3_object_version
+  lambda_runtime                    = var.lambda_runtime
+  lambda_architecture               = var.lambda_architecture
+  lambda_zip                        = var.runner_binaries_syncer_lambda_zip
+  lambda_timeout                    = var.runner_binaries_syncer_lambda_timeout
+  logging_retention_in_days         = var.logging_retention_in_days
+  logging_kms_key_id                = var.logging_kms_key_id
+  enable_event_rule_binaries_syncer = var.enable_event_rule_binaries_syncer
 
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
 

modules/multi-runner/variables.tf

@@ -343,6 +343,12 @@ variable "syncer_lambda_s3_object_version" {
   default     = null
 }
 
+variable "enable_event_rule_binaries_syncer" {
+  type        = bool
+  default     = true
+  description = "Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution"
+}
+
 variable "queue_encryption" {
   description = "Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue."
   type = object({

modules/runner-binaries-syncer/README.md

@@ -88,6 +88,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optional) partition for the base arn if not 'aws' | `string` | `"aws"` | no |
 | <a name="input_distribution_bucket_name"></a> [distribution\_bucket\_name](#input\_distribution\_bucket\_name) | Bucket for storing the action runner distribution. | `string` | n/a | yes |
+| <a name="input_enable_event_rule_binaries_syncer"></a> [enable\_event\_rule\_binaries\_syncer](#input\_enable\_event\_rule\_binaries\_syncer) | Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | A name that identifies the environment, used as prefix and for tagging. | `string` | `null` | no |
 | <a name="input_lambda_architecture"></a> [lambda\_architecture](#input\_lambda\_architecture) | AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions. | `string` | `"arm64"` | no |
 | <a name="input_lambda_principals"></a> [lambda\_principals](#input\_lambda\_principals) | (Optional) add extra principals to the role created for execution of the lambda, e.g. for local testing. | <pre>list(object({<br>    type        = string<br>    identifiers = list(string)<br>  }))</pre> | `[]` | no |

modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -121,6 +121,7 @@ resource "aws_cloudwatch_event_rule" "syncer" {
   name                = "${var.prefix}-syncer-rule"
   schedule_expression = var.lambda_schedule_expression
   tags                = var.tags
+  is_enabled          = var.enable_event_rule_binaries_syncer
 }
 
 resource "aws_cloudwatch_event_target" "syncer" {

modules/runner-binaries-syncer/variables.tf

@@ -56,6 +56,12 @@ variable "s3_logging_bucket_prefix" {
   }
 }
 
+variable "enable_event_rule_binaries_syncer" {
+  type        = bool
+  default     = true
+  description = "Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution"
+}
+
 variable "lambda_schedule_expression" {
   description = "Scheduler expression for action runner binary syncer."
   type        = string

variables.tf

@@ -707,6 +707,12 @@ variable "enable_runner_binaries_syncer" {
   default     = true
 }
 
+variable "enable_event_rule_binaries_syncer" {
+  type        = bool
+  default     = true
+  description = "Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution"
+}
+
 variable "queue_encryption" {
   description = "Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue."
   type = object({