diff --git a/modules/runner-binaries-syncer/policies/lambda-vpc.json b/modules/runner-binaries-syncer/policies/lambda-vpc.json new file mode 100644 index 0000000000..241153d981 --- /dev/null +++ b/modules/runner-binaries-syncer/policies/lambda-vpc.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface" + ], + "Resource": "*" + } + ] +} diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf index 76c931ecc4..8bd0330af4 100644 --- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf +++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf @@ -100,6 +100,14 @@ resource "aws_iam_role_policy" "lambda_logging" { }) } +resource "aws_iam_role_policy" "lambda_syncer_vpc" { + count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0 + name = "${var.prefix}-lambda-syncer-vpc" + role = aws_iam_role.syncer_lambda.id + + policy = file("${path.module}/policies/lambda-vpc.json") +} + resource "aws_iam_role_policy" "syncer" { name = "${var.prefix}-lambda-syncer-s3-policy" role = aws_iam_role.syncer_lambda.id diff --git a/modules/runners/policies/lambda-vpc.json b/modules/runners/policies/lambda-vpc.json new file mode 100644 index 0000000000..241153d981 --- /dev/null +++ b/modules/runners/policies/lambda-vpc.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface" + ], + "Resource": "*" + } + ] +} diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf index e0d0fb9976..c9e65dffe9 100644 --- a/modules/runners/pool/main.tf +++ b/modules/runners/pool/main.tf @@ -81,6 +81,14 @@ resource "aws_iam_role_policy" "pool_logging" { }) } +resource "aws_iam_role_policy" "lambda_pool_vpc" { + count = length(var.config.lambda.subnet_ids) > 0 && length(var.config.lambda.security_group_ids) > 0 ? 1 : 0 + name = "${var.config.prefix}-lambda-pool-vpc" + role = aws_iam_role.pool.id + + policy = file("${path.module}/../policies/lambda-vpc.json") +} + resource "aws_iam_role_policy_attachment" "pool_vpc_execution_role" { count = length(var.config.lambda.subnet_ids) > 0 ? 1 : 0 role = aws_iam_role.pool.name diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf index 08181485c8..69f26b9218 100644 --- a/modules/runners/scale-down.tf +++ b/modules/runners/scale-down.tf @@ -96,6 +96,14 @@ resource "aws_iam_role_policy" "scale_down_logging" { }) } +resource "aws_iam_role_policy" "lambda_scale_down_vpc" { + count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0 + name = "${var.prefix}-lambda-scale-down-vpc" + role = aws_iam_role.scale_down.id + + policy = file("${path.module}/policies/lambda-vpc.json") +} + resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" { count = length(var.lambda_subnet_ids) > 0 ? 1 : 0 role = aws_iam_role.scale_down.name diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf index d20d2fac6e..80c4614f84 100644 --- a/modules/runners/scale-up.tf +++ b/modules/runners/scale-up.tf @@ -106,6 +106,14 @@ resource "aws_iam_role_policy" "service_linked_role" { policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition }) } +resource "aws_iam_role_policy" "lambda_scale_up_vpc" { + count = length(var.lambda_subnet_ids) > 0 && length(var.lambda_security_group_ids) > 0 ? 1 : 0 + name = "${var.prefix}-lambda-scale-up-vpc" + role = aws_iam_role.scale_up.id + + policy = file("${path.module}/policies/lambda-vpc.json") +} + resource "aws_iam_role_policy_attachment" "scale_up_vpc_execution_role" { count = length(var.lambda_subnet_ids) > 0 ? 1 : 0 role = aws_iam_role.scale_up.name diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf index 08bb943290..8e001515e7 100644 --- a/modules/webhook/webhook.tf +++ b/modules/webhook/webhook.tf @@ -79,6 +79,7 @@ resource "aws_iam_role_policy" "webhook_sqs" { sqs_resource_arn = var.sqs_build_queue.arn }) } + resource "aws_iam_role_policy" "webhook_workflow_job_sqs" { count = var.sqs_workflow_job_queue != null ? 1 : 0 name = "${var.prefix}-lambda-webhook-publish-workflow-job-sqs-policy"