feat: support AWS EventBridge

[npalm]

Description

This PR introduces the AWS EventBridge. The EventBridge can be enabled with the options webhook_mode, which can be set to either direct or eventbridge. In the direct mode the olds way of handling is still applied. When setting the mode to eventbridge events will publshed on the AWS EventBridge, which is not limited only to the event workflow_job with statues queued via a target rule events relevant for scaling a snet to the dispatcher lambda to distrute to a SQS queue for sacling.

Todo

• Refactor lambda and add EventBridge
• Refactor webhook module (TF) to support EventBridge
• Test example default
• Test example multi runner
• Adjust docs
• Reduce permissions on webhook and dispatcher lambda for eventbridge mode
• Add configuration for allowed events on the EventBridge
• Add support for CMK (encruption) to EventBridge Add support for CMK (encryption) for the EventBridge #4192

MIgration directions

The change is backwards compatible but will recreate resources managed by the internal module webhook. The only resource contianing data is the CloudWatch LogGroup. To retain the log geroup you can run a terraform state move. Or add a moved block to your deployemnt.

Migrating to this version

With module defaults or webhook_mode = direct

moved {
   from = module.<runner-module-name>.module.webhook.aws_cloudwatch_log_group.webhook
   to = module.<runner-module-name>.module.webhook.module.direct[0].aws_cloudwatch_log_group.webhook
}

Or with webhook_mode = eventbridge

moved {
   from = module.<runner-module-name>.module.webhook.aws_cloudwatch_log_group.webhook
   to = module.<runner-module-name>.module.webhook.module.direct[0].aws_cloudwatch_log_group.webhook
}

When switching between direct and event bridge

When enable mode eventbridge

moved {
  from = module.runners.module.webhook.module.direct[0].aws_cloudwatch_log_group.webhook
  to = module.runners.module.webhook.module.eventbridge[0].aws_cloudwatch_log_group.webhook
}

Or vice versa for moving from eventbride to webhook

[npalm]

Loading the configuration was quite a mess. Replaced by a singleton to load configurations per deployed entrypoint. For each lambda handler function a different ConfigABC claass is created.

[npalm]

Validation is in general limited, but input is controlled via internal terraform modules.

[npalm]

Could not find a better way to parse an object or list in to a typed property. In case an error the input is just parsed as string.

Not perfect, but also the terraform modules are typed.

[npalm]

Only the configuration object is changed for the old flow (webhook only). This to accomodate other configurations

[npalm]

Only real change here is the configuration boject

[npalm]

Adjust terraform module to expose configuration. This allow to limit the events to accept on the bus.

[npalm]

With is part of terraform code all GitHub events can put in a bucket for further analysis.

Add the code in a .tf file int the multi runner example.

source: https://040code.github.io/2023/01/06/github-event-aws-eventbridge

locals {
  prefix = var.environment
  event_bus_name = module.runners.webhook.eventbridge.event_bus.name
}

resource "aws_cloudwatch_event_rule" "all" {
  name           = "${local.prefix}-github-events-all"
  description    = "Caputure all GitHub events"
  event_bus_name = local.event_bus_name
  event_pattern  = <<EOF
{
  "source": [{
    "prefix": "github"
  }]
}
EOF
}

resource "aws_cloudwatch_event_target" "main" {
  rule           = aws_cloudwatch_event_rule.all.name
  arn            = aws_kinesis_firehose_delivery_stream.extended_s3_stream.arn
  event_bus_name = local.event_bus_name
  role_arn       = aws_iam_role.event_rule_firehose_role.arn
}

data "aws_iam_policy_document" "event_rule_firehose_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["events.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "event_rule_firehose_role" {
  name               = "${local.prefix}-eventbridge-github-rule"
  assume_role_policy = data.aws_iam_policy_document.event_rule_firehose_role.json
}

data aws_iam_policy_document firehose_stream {
  statement {
    actions = [
      "firehose:DeleteDeliveryStream",
      "firehose:PutRecord",
      "firehose:PutRecordBatch",
      "firehose:UpdateDestination"
    ]
    resources = [aws_kinesis_firehose_delivery_stream.extended_s3_stream.arn]
  }
}


resource "aws_iam_role_policy" "event_rule_firehose_role" {
  name = "target-event-rule-firehose"
  role = aws_iam_role.event_rule_firehose_role.name
  policy = data.aws_iam_policy_document.firehose_stream.json
}


resource "random_uuid" "firehose_stream" {}

resource "aws_s3_bucket" "firehose_stream" {
  bucket        = "${local.prefix}-${random_uuid.firehose_stream.result}"
  force_destroy = true
}

# resource "aws_s3_bucket_acl" "firehose_stream" {
#   bucket = aws_s3_bucket.firehose_stream.id
#   acl    = "private"
# }

data "aws_iam_policy_document" "firehose_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["firehose.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "firehose_role" {
  name               = "${local.prefix}-firehose-role"
  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role_policy.json
}

data "aws_iam_policy_document" "firehose_s3" {
  statement {
    actions = [
      "s3:AbortMultipartUpload",
      "s3:GetBucketLocation",
      "s3:GetObject",
      "s3:ListBucket",
      "s3:ListBucketMultipartUploads",
      "s3:PutObject"
    ]
    resources = [aws_s3_bucket.firehose_stream.arn, "${aws_s3_bucket.firehose_stream.arn}/*"]
  }
}

resource "aws_iam_role_policy" "firehose_s3" {
  name = "${local.prefix}-s3"
  role = aws_iam_role.firehose_role.name
  policy = data.aws_iam_policy_document.firehose_s3.json
}

data "aws_iam_policy_document" "firehose_log" {
  statement {
    actions = [
      "logs:PutLogEvents",
      "logs:CreateLogStream",
      "logs:CreateLogGroup"
    ]
    resources = [aws_cloudwatch_log_group.firehose_delivery_stream.arn]
  }
}

resource "aws_iam_role_policy" "firehose_log" {
  name = "${local.prefix}-log"
  role = aws_iam_role.firehose_role.name
  policy = data.aws_iam_policy_document.firehose_log.json
}

resource "aws_kinesis_firehose_delivery_stream" "extended_s3_stream" {
  name        = "${local.prefix}-stream"
  destination = "extended_s3"

  extended_s3_configuration {
    role_arn   = aws_iam_role.firehose_role.arn
    bucket_arn = aws_s3_bucket.firehose_stream.arn
  }
}

resource "aws_cloudwatch_log_group" "firehose_delivery_stream" {
  name              = "/aws/kinesisfirehose/${aws_kinesis_firehose_delivery_stream.extended_s3_stream.name}"
  retention_in_days = 14
}

[mpas]

In the examples lots of commented TF, this will leave room for mistakes, we tend to forget options that are deleted or have been renamed etc.

[npalm]

You ar right, but feel free to suggest another way. Would be great to do it different. But the examples are also a great way to check a PR quickly.

[mpas]

Do not see big problems, only some styling/spelling issues.

[npalm]

@mpas can you check 'my' last commit. Updated the top level object to configure the feature. And marked it beta in the docs.

[mpas]

Suggested change

- Webhook mode, the module can be deployed in the mode `direct` and `eventbridge` (Experimental). The `direct` mode is the default and will directly distribute to SQS for the scale-up lambda. The `eventbridge` mode will publish the event to an event bus with a target rule the events are sent to a dispatch lambda. The dispatch lambda will send the event to the SQS queue. The `eventbridge` mode is useful when you want to have more control over the events and potentially filter them. The `eventbridge` mode is disabled by default. We expect thhe `eventbridge` mode will be the future direction to build a data lake, build metrics, acto on `workflow_job` job started events, etc.

- Webhook mode, the module can be deployed in the mode `direct` and `eventbridge` (Experimental). The `direct` mode is the default and will directly distribute to SQS for the scale-up lambda. The `eventbridge` mode will publish the event to an event bus with a target rule the events are sent to a dispatch lambda. The dispatch lambda will send the event to the SQS queue. The `eventbridge` mode is useful when you want to have more control over the events and potentially filter them. The `eventbridge` mode is disabled by default. We expect thhe `eventbridge` mode will be the future direction to build a data lake, build metrics, act on `workflow_job` job started events, etc.

[mpas]

Suggested change

The moment a GitHub action workflow requiring a `self-hosted` runner is triggered, GitHub will try to find a runner which can execute the workload. See [additional notes](additional_notes.md) for how the selection is made. The module can be deployed in two modes. One mode called `direct`, after accepting the [`workflow_job` event](https://docs.github.com/en/free-pro-team@latest/developers/webhooks-and-events/webhook-events-and-payloads#workflow_job) event the module will dispatch the event to a SQS queue on which the scale-up function will act. The second mode, `eventbridge` will funnel events via the AWS EventBridge. the EventBridge enables act on other events then only the `workflow_job` event with status `queued`. besides that the EventBridge suppors replay functionality. For future exenstions to act on events or create a data lake we will relay on the EventBridge.

The moment a GitHub action workflow requiring a `self-hosted` runner is triggered, GitHub will try to find a runner which can execute the workload. See [additional notes](additional_notes.md) for how the selection is made. The module can be deployed in two modes. One mode called `direct`, after accepting the [`workflow_job` event](https://docs.github.com/en/free-pro-team@latest/developers/webhooks-and-events/webhook-events-and-payloads#workflow_job) event the module will dispatch the event to a SQS queue on which the scale-up function will act. The second mode, `eventbridge` will funnel events via the AWS EventBridge. the EventBridge enables act on other events then only the `workflow_job` event with status `queued`. besides that the EventBridge supports replay functionality. For future extensions to act on events or create a data lake we will relay on the EventBridge.

[mpas]

Suggested change

	| <a name="input_eventbridge"></a> [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enable this feature events will be putted on the EventBridge bhy the webhook instead of directly dispatchting to queues for sacling. | <pre>object({<br/> enable = optional(bool, false)<br/> accept_events = optional(list(string), [])<br/> })</pre> | `{}` | no |
	| <a name="input_eventbridge"></a> [eventbridge](#input\_eventbridge) | Enable the use of EventBridge by the module. By enable this feature events will be putted on the EventBridge by the webhook instead of directly dispatching to queues for scaling. | <pre>object({<br/> enable = optional(bool, false)<br/> accept_events = optional(list(string), [])<br/> })</pre> | `{}` | no |

[mpas]

Suggested change

	"Resource": ${resource_arns}
	"Resource": "${resource_arns}"

[mpas]

Suggested change

	"Resource": ${resource_arns}
	"Resource": "${resource_arns}"

[mpas]

Can this be deleted? Its all commented

[mpas]

Suggested change

	| <a name="input_enable_workflow_job_events_queue"></a> [enable\_workflow\_job\_events\_queue](#input\_enable\_workflow\_job\_events\_queue) | Enabling this experimental feature will create a secondory sqs queue to which a copy of the workflow\_job event will be delivered. | `bool` | `false` | no |
	| <a name="input_enable_workflow_job_events_queue"></a> [enable\_workflow\_job\_events\_queue](#input\_enable\_workflow\_job\_events\_queue) | Enabling this experimental feature will create a secondary sqs queue to which a copy of the workflow\_job event will be delivered. | `bool` | `false` | no |