fix: added permissions for lambda to attach lambda to the VPC. (#2734)

* fix: added permissions for lambda to attach lambda to the VPC.

* fix: formatting.

* fix: create the policy conditionally.

* fix: updated as per review comments.

Co-authored-by: navdeepg2021 <navdeepg2021@gmail.com>

modules/runner-binaries-syncer/policies/lambda-vpc.json

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DeleteNetworkInterface"
+      ],
+      "Resource": "*"
+    }
+  ]
+}

modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -100,6 +100,14 @@ resource "aws_iam_role_policy" "lambda_logging" {
   })
 }
 
+resource "aws_iam_role_policy" "lambda_syncer_vpc" {
+  count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0
+  name  = "${var.prefix}-lambda-syncer-vpc"
+  role  = aws_iam_role.syncer_lambda.id
+
+  policy = file("${path.module}/policies/lambda-vpc.json")
+}
+
 resource "aws_iam_role_policy" "syncer" {
   name = "${var.prefix}-lambda-syncer-s3-policy"
   role = aws_iam_role.syncer_lambda.id

modules/runners/policies/lambda-vpc.json

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DeleteNetworkInterface"
+      ],
+      "Resource": "*"
+    }
+  ]
+}

modules/runners/pool/main.tf

@@ -81,6 +81,14 @@ resource "aws_iam_role_policy" "pool_logging" {
   })
 }
 
+resource "aws_iam_role_policy" "lambda_pool_vpc" {
+  count = length(var.config.lambda.subnet_ids) > 0 && length(var.config.lambda.security_group_ids) > 0 ? 1 : 0
+  name  = "${var.config.prefix}-lambda-pool-vpc"
+  role  = aws_iam_role.pool.id
+
+  policy = file("${path.module}/../policies/lambda-vpc.json")
+}
+
 resource "aws_iam_role_policy_attachment" "pool_vpc_execution_role" {
   count      = length(var.config.lambda.subnet_ids) > 0 ? 1 : 0
   role       = aws_iam_role.pool.name

modules/runners/scale-down.tf

@@ -96,6 +96,14 @@ resource "aws_iam_role_policy" "scale_down_logging" {
   })
 }
 
+resource "aws_iam_role_policy" "lambda_scale_down_vpc" {
+  count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0
+  name  = "${var.prefix}-lambda-scale-down-vpc"
+  role  = aws_iam_role.scale_down.id
+
+  policy = file("${path.module}/policies/lambda-vpc.json")
+}
+
 resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {
   count      = length(var.lambda_subnet_ids) > 0 ? 1 : 0
   role       = aws_iam_role.scale_down.name

modules/runners/scale-up.tf

@@ -106,6 +106,14 @@ resource "aws_iam_role_policy" "service_linked_role" {
   policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })
 }
 
+resource "aws_iam_role_policy" "lambda_scale_up_vpc" {
+  count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0
+  name  = "${var.prefix}-lambda-scale-up-vpc"
+  role  = aws_iam_role.scale_up.id
+
+  policy = file("${path.module}/policies/lambda-vpc.json")
+}
+
 resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" {
   count      = length(var.lambda_subnet_ids) > 0 ? 1 : 0
   role       = aws_iam_role.scale_up.name

modules/webhook/webhook.tf

@@ -79,6 +79,7 @@ resource "aws_iam_role_policy" "webhook_sqs" {
     sqs_resource_arn = var.sqs_build_queue.arn
   })
 }
+
 resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
   count = var.sqs_workflow_job_queue != null ? 1 : 0
   name  = "${var.prefix}-lambda-webhook-publish-workflow-job-sqs-policy"