From 7235cdc40686f3218e1991ec9a8feeb900b719f1 Mon Sep 17 00:00:00 2001
From: Niek Palm <npalm@users.noreply.github.com>
Date: Wed, 7 Aug 2024 16:10:51 +0200
Subject: [PATCH] fix: align inlince policies (#4046)

## Description
Most of the lambdas are defining inline policies in the dedicated role
for the lambda. The naming of the inline policies is a bit chaotic. This
PR aligns the naming removes redundant parts of the naming like the the
lamba name or prefix. This is allready part of the role


fix #4045
---
 modules/ami-housekeeper/main.tf                          | 7 ++++---
 modules/runner-binaries-syncer/runner-binaries-syncer.tf | 5 +++--
 modules/runners/pool/main.tf                             | 5 +++--
 modules/runners/scale-down.tf                            | 5 +++--
 modules/runners/scale-up.tf                              | 7 ++++---
 modules/runners/ssm-housekeeper.tf                       | 5 +++--
 modules/webhook/webhook.tf                               | 9 +++++----
 7 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/modules/ami-housekeeper/main.tf b/modules/ami-housekeeper/main.tf
index a1e66c24ef..9de45f592f 100644
--- a/modules/ami-housekeeper/main.tf
+++ b/modules/ami-housekeeper/main.tf
@@ -84,7 +84,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
 }
 
 resource "aws_iam_role_policy" "lambda_logging" {
-  name = "${var.prefix}-lambda-logging-policy-ami-housekeeper"
+  name = "logging-policy"
   role = aws_iam_role.ami_housekeeper.id
 
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
@@ -93,14 +93,14 @@ resource "aws_iam_role_policy" "lambda_logging" {
 }
 
 resource "aws_iam_role_policy" "ami_housekeeper" {
-  name = "${var.prefix}-lambda-ami-policy"
+  name = "lambda-ami-policy"
   role = aws_iam_role.ami_housekeeper.id
 
   policy = templatefile("${path.module}/policies/lambda-ami-housekeeper.json", {})
 }
 
 resource "aws_cloudwatch_event_rule" "ami_housekeeper" {
-  name                = "${var.prefix}-ami-housekeeper-rule"
+  name                = "ami-housekeeper-rule"
   schedule_expression = var.lambda_schedule_expression
   tags                = var.tags
   state               = var.state_event_rule_ami_housekeeper
@@ -127,6 +127,7 @@ resource "aws_lambda_permission" "ami_housekeeper" {
 
 resource "aws_iam_role_policy" "ami_housekeeper_xray" {
   count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.ami_housekeeper.name
 }
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
index 6be75c3332..d3f5f08efa 100644
--- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf
+++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -103,7 +103,7 @@ data "aws_iam_policy_document" "lambda_assume_role_policy" {
 }
 
 resource "aws_iam_role_policy" "lambda_logging" {
-  name = "${var.prefix}-lambda-logging-policy-syncer"
+  name = "logging-policys"
   role = aws_iam_role.syncer_lambda.id
 
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
@@ -112,7 +112,7 @@ resource "aws_iam_role_policy" "lambda_logging" {
 }
 
 resource "aws_iam_role_policy" "syncer" {
-  name = "${var.prefix}-lambda-syncer-s3-policy"
+  name = "s3-policy"
   role = aws_iam_role.syncer_lambda.id
 
   policy = templatefile("${path.module}/policies/lambda-syncer.json", {
@@ -186,6 +186,7 @@ resource "aws_lambda_permission" "on_deploy" {
 
 resource "aws_iam_role_policy" "syncer_lambda_xray" {
   count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.syncer_lambda.name
 }
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
index cd9b6e9c2b..e784886704 100644
--- a/modules/runners/pool/main.tf
+++ b/modules/runners/pool/main.tf
@@ -81,7 +81,7 @@ resource "aws_iam_role" "pool" {
 }
 
 resource "aws_iam_role_policy" "pool" {
-  name = "${var.config.prefix}-lambda-pool-policy"
+  name = "pool-policy"
   role = aws_iam_role.pool.name
   policy = templatefile("${path.module}/policies/lambda-pool.json", {
     arn_ssm_parameters_path_config = var.config.arn_ssm_parameters_path_config
@@ -94,7 +94,7 @@ resource "aws_iam_role_policy" "pool" {
 }
 
 resource "aws_iam_role_policy" "pool_logging" {
-  name = "${var.config.prefix}-lambda-logging"
+  name = "logging-policy"
   role = aws_iam_role.pool.name
   policy = templatefile("${path.module}/../policies/lambda-cloudwatch.json", {
     log_group_arn = aws_cloudwatch_log_group.pool.arn
@@ -174,6 +174,7 @@ data "aws_iam_policy_document" "lambda_xray" {
 
 resource "aws_iam_role_policy" "pool_xray" {
   count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.pool.name
 }
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
index 5fc9c02ee0..08138dcf3e 100644
--- a/modules/runners/scale-down.tf
+++ b/modules/runners/scale-down.tf
@@ -90,7 +90,7 @@ resource "aws_iam_role" "scale_down" {
 }
 
 resource "aws_iam_role_policy" "scale_down" {
-  name = "${var.prefix}-lambda-scale-down-policy"
+  name = "scale-down-policy"
   role = aws_iam_role.scale_down.name
   policy = templatefile("${path.module}/policies/lambda-scale-down.json", {
     environment               = var.prefix
@@ -101,7 +101,7 @@ resource "aws_iam_role_policy" "scale_down" {
 }
 
 resource "aws_iam_role_policy" "scale_down_logging" {
-  name = "${var.prefix}-lambda-logging"
+  name = "logging-policy"
   role = aws_iam_role.scale_down.name
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
     log_group_arn = aws_cloudwatch_log_group.scale_down.arn
@@ -116,6 +116,7 @@ resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {
 
 resource "aws_iam_role_policy" "scale_down_xray" {
   count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.scale_down.name
 }
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
index cd3fd2c9b5..0b6bf7b54f 100644
--- a/modules/runners/scale-up.tf
+++ b/modules/runners/scale-up.tf
@@ -95,7 +95,7 @@ resource "aws_iam_role" "scale_up" {
 }
 
 resource "aws_iam_role_policy" "scale_up" {
-  name = "${var.prefix}-lambda-scale-up-policy"
+  name = "scale-up-policy"
   role = aws_iam_role.scale_up.name
   policy = templatefile("${path.module}/policies/lambda-scale-up.json", {
     arn_runner_instance_role  = aws_iam_role.runner.arn
@@ -110,7 +110,7 @@ resource "aws_iam_role_policy" "scale_up" {
 
 
 resource "aws_iam_role_policy" "scale_up_logging" {
-  name = "${var.prefix}-lambda-logging"
+  name = "logging-policy"
   role = aws_iam_role.scale_up.name
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
     log_group_arn = aws_cloudwatch_log_group.scale_up.arn
@@ -119,7 +119,7 @@ resource "aws_iam_role_policy" "scale_up_logging" {
 
 resource "aws_iam_role_policy" "service_linked_role" {
   count  = var.create_service_linked_role_spot ? 1 : 0
-  name   = "${var.prefix}-service_linked_role"
+  name   = "service_linked_role"
   role   = aws_iam_role.scale_up.name
   policy = templatefile("${path.module}/policies/service-linked-role-create-policy.json", { aws_partition = var.aws_partition })
 }
@@ -138,6 +138,7 @@ resource "aws_iam_role_policy_attachment" "ami_id_ssm_parameter_read" {
 
 resource "aws_iam_role_policy" "scale_up_xray" {
   count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.scale_up.name
 }
diff --git a/modules/runners/ssm-housekeeper.tf b/modules/runners/ssm-housekeeper.tf
index 64a63ed92d..e9c2a175ba 100644
--- a/modules/runners/ssm-housekeeper.tf
+++ b/modules/runners/ssm-housekeeper.tf
@@ -92,7 +92,7 @@ resource "aws_iam_role" "ssm_housekeeper" {
 }
 
 resource "aws_iam_role_policy" "ssm_housekeeper" {
-  name = "lambda-ssm"
+  name = "ssm-policy"
   role = aws_iam_role.ssm_housekeeper.name
   policy = templatefile("${path.module}/policies/lambda-ssm-housekeeper.json", {
     ssm_token_path = "arn:${var.aws_partition}:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter${local.token_path}"
@@ -100,7 +100,7 @@ resource "aws_iam_role_policy" "ssm_housekeeper" {
 }
 
 resource "aws_iam_role_policy" "ssm_housekeeper_logging" {
-  name = "lambda-logging"
+  name = "logging-policy"
   role = aws_iam_role.ssm_housekeeper.name
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
     log_group_arn = aws_cloudwatch_log_group.ssm_housekeeper.arn
@@ -115,6 +115,7 @@ resource "aws_iam_role_policy_attachment" "ssm_housekeeper_vpc_execution_role" {
 
 resource "aws_iam_role_policy" "ssm_housekeeper_xray" {
   count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.ssm_housekeeper.name
 }
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
index 5c5759b51b..b141621a39 100644
--- a/modules/webhook/webhook.tf
+++ b/modules/webhook/webhook.tf
@@ -102,7 +102,7 @@ resource "aws_iam_role" "webhook_lambda" {
 }
 
 resource "aws_iam_role_policy" "webhook_logging" {
-  name = "${var.prefix}-lambda-logging-policy"
+  name = "logging-policy"
   role = aws_iam_role.webhook_lambda.name
   policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
     log_group_arn = aws_cloudwatch_log_group.webhook.arn
@@ -116,7 +116,7 @@ resource "aws_iam_role_policy_attachment" "webhook_vpc_execution_role" {
 }
 
 resource "aws_iam_role_policy" "webhook_sqs" {
-  name = "${var.prefix}-lambda-webhook-publish-sqs-policy"
+  name = "publish-sqs-policy"
   role = aws_iam_role.webhook_lambda.name
 
   policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
@@ -127,7 +127,7 @@ resource "aws_iam_role_policy" "webhook_sqs" {
 
 resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
   count = var.sqs_workflow_job_queue != null ? 1 : 0
-  name  = "${var.prefix}-lambda-webhook-publish-workflow-job-sqs-policy"
+  name  = "publish-workflow-job-sqs-policy"
   role  = aws_iam_role.webhook_lambda.name
 
   policy = templatefile("${path.module}/policies/lambda-publish-sqs-policy.json", {
@@ -137,7 +137,7 @@ resource "aws_iam_role_policy" "webhook_workflow_job_sqs" {
 }
 
 resource "aws_iam_role_policy" "webhook_ssm" {
-  name = "${var.prefix}-lambda-webhook-publish-ssm-policy"
+  name = "publish-ssm-policy"
   role = aws_iam_role.webhook_lambda.name
 
   policy = templatefile("${path.module}/policies/lambda-ssm.json", {
@@ -148,6 +148,7 @@ resource "aws_iam_role_policy" "webhook_ssm" {
 
 resource "aws_iam_role_policy" "xray" {
   count  = var.tracing_config.mode != null ? 1 : 0
+  name   = "xray-policy"
   policy = data.aws_iam_policy_document.lambda_xray[0].json
   role   = aws_iam_role.webhook_lambda.name
 }