fix: add SSM AMI parameter permissions and environment-based naming#5016
Merged
fix: add SSM AMI parameter permissions and environment-based naming#5016
Conversation
- Add missing SSM GetParameter and GetParameters permissions for AMI parameter ARN in scale-up lambda policy - Use environment variable prefix for SSM parameter name to ensure unique naming per environment
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances environment isolation and fixes Lambda scale-up permissions by making AMI parameter paths environment-specific and granting necessary SSM access. These changes prevent errors when the Lambda function handles batches by ensuring it can read the required AMI ID parameters.
Changes:
- Added environment variable to AMI parameter paths for better resource isolation across environments
- Extended Lambda scale-up IAM policy to include SSM AMI ID parameter access
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
modules/runners/policies/lambda-scale-up.json |
Grants Lambda scale-up function access to SSM AMI ID parameter |
examples/multi-runner/main.tf |
Makes AMI parameter path environment-specific for proper isolation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
npalm
requested review from
Brend-Smits,
guicaulada,
koendelaat and
stuartp44
…n string template The tflint validation was failing because var.environment can be null, and null values cannot be included in string templates. Changed to use local.environment which has a fallback value. Fixes the tflint error: Invalid template interpolation value. The expression result is null. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Brend-Smits
approved these changes
Feb 4, 2026
npalm
pushed a commit
that referenced
this pull request
Feb 4, 2026
🤖 I have created a release *beep* *boop* --- ## [7.4.0](v7.3.0...v7.4.0) (2026-02-04) ### Features * **control-plane:** tag control plane created SSM Parameters ([#4833](#4833)) ([#4834](#4834)) ([7e1a0a1](7e1a0a1)) @wadherv * use prefix variable for POWERTOOLS_SERVICE_NAME in Lambda functions ([#4948](#4948)) ([8bd61d2](8bd61d2)) @alexalbu001 ### Bug Fixes * add SSM AMI parameter permissions and environment-based naming ([#5016](#5016)) ([1a7158b](1a7158b)) * job retry mechanism not triggering ([#4961](#4961)) ([5039ae5](5039ae5)) * **lambda:** bump diff from 4.0.2 to 4.0.4 in /lambdas ([#5004](#5004)) ([cd86fe6](cd86fe6)) * **lambda:** bump lodash-es from 4.17.21 to 4.17.23 in /lambdas ([#5006](#5006)) ([c638e38](c638e38)) * **lambda:** bump the aws group in /lambdas with 7 updates ([#4998](#4998)) ([d373bcc](d373bcc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>
Brend-Smits
pushed a commit
that referenced
this pull request
Mar 6, 2026
…5016) This pull request introduces environment-specific configuration improvements and updates IAM policy resources to support new SSM parameters. The main changes focus on making resource naming more flexible and ensuring the Lambda scale-up policy has access to the necessary SSM parameters. Configuration improvements: * Updated the `al2023_arm64_name` local in `examples/multi-runner/main.tf` to include the environment variable, making AMI name paths environment-specific for better isolation and flexibility. IAM policy updates: * Added `${ssm_ami_id_parameter_arn}` to the resource list in `modules/runners/policies/lambda-scale-up.json`, allowing Lambda scale-up operations to access the new SSM parameter for AMI IDs. This solve errors related handling batches --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Brend-Smits
pushed a commit
that referenced
this pull request
Mar 6, 2026
🤖 I have created a release *beep* *boop* --- ## [7.4.0](v7.3.0...v7.4.0) (2026-02-04) ### Features * **control-plane:** tag control plane created SSM Parameters ([#4833](#4833)) ([#4834](#4834)) ([7e1a0a1](7e1a0a1)) @wadherv * use prefix variable for POWERTOOLS_SERVICE_NAME in Lambda functions ([#4948](#4948)) ([8bd61d2](8bd61d2)) @alexalbu001 ### Bug Fixes * add SSM AMI parameter permissions and environment-based naming ([#5016](#5016)) ([1a7158b](1a7158b)) * job retry mechanism not triggering ([#4961](#4961)) ([5039ae5](5039ae5)) * **lambda:** bump diff from 4.0.2 to 4.0.4 in /lambdas ([#5004](#5004)) ([cd86fe6](cd86fe6)) * **lambda:** bump lodash-es from 4.17.21 to 4.17.23 in /lambdas ([#5006](#5006)) ([c638e38](c638e38)) * **lambda:** bump the aws group in /lambdas with 7 updates ([#4998](#4998)) ([d373bcc](d373bcc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>
LudovicTOURMAN
pushed a commit
to doctolib-lab/terraform-aws-github-runner
that referenced
this pull request
Apr 7, 2026
…ithub-aws-runners#5016) This pull request introduces environment-specific configuration improvements and updates IAM policy resources to support new SSM parameters. The main changes focus on making resource naming more flexible and ensuring the Lambda scale-up policy has access to the necessary SSM parameters. Configuration improvements: * Updated the `al2023_arm64_name` local in `examples/multi-runner/main.tf` to include the environment variable, making AMI name paths environment-specific for better isolation and flexibility. IAM policy updates: * Added `${ssm_ami_id_parameter_arn}` to the resource list in `modules/runners/policies/lambda-scale-up.json`, allowing Lambda scale-up operations to access the new SSM parameter for AMI IDs. This solve errors related handling batches --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
LudovicTOURMAN
pushed a commit
to doctolib-lab/terraform-aws-github-runner
that referenced
this pull request
Apr 7, 2026
🤖 I have created a release *beep* *boop* --- ## [7.4.0](github-aws-runners/terraform-aws-github-runner@v7.3.0...v7.4.0) (2026-02-04) ### Features * **control-plane:** tag control plane created SSM Parameters ([github-aws-runners#4833](github-aws-runners#4833)) ([github-aws-runners#4834](github-aws-runners#4834)) ([7e1a0a1](github-aws-runners@7e1a0a1)) @wadherv * use prefix variable for POWERTOOLS_SERVICE_NAME in Lambda functions ([github-aws-runners#4948](github-aws-runners#4948)) ([8bd61d2](github-aws-runners@8bd61d2)) @alexalbu001 ### Bug Fixes * add SSM AMI parameter permissions and environment-based naming ([github-aws-runners#5016](github-aws-runners#5016)) ([1a7158b](github-aws-runners@1a7158b)) * job retry mechanism not triggering ([github-aws-runners#4961](github-aws-runners#4961)) ([5039ae5](github-aws-runners@5039ae5)) * **lambda:** bump diff from 4.0.2 to 4.0.4 in /lambdas ([github-aws-runners#5004](github-aws-runners#5004)) ([cd86fe6](github-aws-runners@cd86fe6)) * **lambda:** bump lodash-es from 4.17.21 to 4.17.23 in /lambdas ([github-aws-runners#5006](github-aws-runners#5006)) ([c638e38](github-aws-runners@c638e38)) * **lambda:** bump the aws group in /lambdas with 7 updates ([github-aws-runners#4998](github-aws-runners#4998)) ([d373bcc](github-aws-runners@d373bcc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces environment-specific configuration improvements and updates IAM policy resources to support new SSM parameters. The main changes focus on making resource naming more flexible and ensuring the Lambda scale-up policy has access to the necessary SSM parameters.
Configuration improvements:
al2023_arm64_namelocal inexamples/multi-runner/main.tfto include the environment variable, making AMI name paths environment-specific for better isolation and flexibility.IAM policy updates:
${ssm_ami_id_parameter_arn}to the resource list inmodules/runners/policies/lambda-scale-up.json, allowing Lambda scale-up operations to access the new SSM parameter for AMI IDs. This solve errors related handling batches