philips-labs / terraform-aws-github-runner

Terraform module for scalable GitHub action runners on AWS
https://philips-labs.github.io/terraform-aws-github-runner/
MIT License
2.6k stars 623 forks source link

ssm:GetParameter AccessDeniedException #3959

Open Upgreydd opened 4 months ago

Upgreydd commented 4 months ago

At 5.12.0 version something is wrong with runner-ssm-parameters. After removing below condition all works, but I guess it's not desired way.

            "Condition": {
                "StringLike": {
                    "ec2:SourceInstanceARN": "*/${aws:ResourceTag/InstanceId}"
                }
            },

Error is:

<13>Jul  1 15:41:27 user-data: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::account_id:assumed-role/my-ghr-ubuntu-runner-role/i-02acXXXXXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-south-1:account_id:parameter/github-action-runners/my-ghr/ubuntu/runners/tokens/i-02acXXXXXXXX because no identity-based policy allows the ssm:GetParameter action
<13>Jul  1 15:41:27 user-data: Waiting for GH Runner config to become available in AWS SSM

[EDIT] OK, looks like lambdas are not updated while deploying updated code. module "multi-runner" parameters:

  lambda_s3_bucket      = var.s3_bucket_name
  webhook_lambda_s3_key = "lambdas/webhook.zip"
  syncer_lambda_s3_key  = "lambdas/runner-binaries-syncer.zip"
  runners_lambda_s3_key = "lambdas/runners.zip"

doesn't force new lambda deployment while zip files are updated.

npalm commented 4 months ago

Lambda updates are forced based on source code has. Which means each time your rebuild the lambda a deployment is triggered. As far we aware this is working correctly. We use this during development often. Our prod deployments are depending on zip files (versioned in s3).

iterion commented 4 months ago

I also recently experienced this. I had to delete my lambdas for them to load the latest code from S3. Possible I have something misconfigured though.

npalm commented 3 months ago

Ensure you deploy always the matching lambda's with an update the terraform module.

github-actions[bot] commented 1 week ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.