{"id":18419787,"url":"https://github.com/telia-oss/concourse-github-lambda","last_synced_at":"2025-04-07T13:31:46.559Z","repository":{"id":51293586,"uuid":"122950129","full_name":"telia-oss/concourse-github-lambda","owner":"telia-oss","description":"Lambda function for handling Github access tokens and deploy keys used by Concourse teams","archived":false,"fork":false,"pushed_at":"2023-12-18T21:54:13.000Z","size":2713,"stargazers_count":6,"open_issues_count":4,"forks_count":7,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-22T19:12:08.957Z","etag":null,"topics":["aws","concourse","github","lambda"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/telia-oss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-26T10:00:59.000Z","updated_at":"2023-07-25T14:15:19.000Z","dependencies_parsed_at":"2024-06-19T02:42:13.728Z","dependency_job_id":null,"html_url":"https://github.com/telia-oss/concourse-github-lambda","commit_stats":null,"previous_names":["teliasoneranorge/concourse-github-lambda"],"tags_count":21,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-github-lambda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-github-lambda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-github-lambda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/telia-oss%2Fconcourse-github-lambda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/telia-oss","download_url":"https://codeload.github.com/telia-oss/concourse-github-lambda/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247661782,"owners_count":20975117,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","concourse","github","lambda"],"created_at":"2024-11-06T04:18:23.395Z","updated_at":"2025-04-07T13:31:44.098Z","avatar_url":"https://github.com/telia-oss.png","language":"Go","readme":"## concourse-github-lambda\n\n[![Build Status](https://travis-ci.org/telia-oss/concourse-github-lambda.svg?branch=master)](https://travis-ci.org/telia-oss/concourse-github-lambda)\n\nLambda function for handling Github access tokens and deploy keys used by Concourse teams. See\nthe terraform subdirectory for an example that should work (with minimal effort).\n\n### Why?\n\nOur CI/CD (in our case Concourse) needs deploy keys to fetch code from Github, and\naccess tokens to set statuses on commits or comment on pull requests.\nInstead of having teams do this manually, we can use this Lambda and simply pass\na list of repositories that the team requires access to, and deploy keys will be\ngenerated and written to Secrets Manager (where it is available to their pipelines).\n\n### How?\n\n1. This Lambda function is deployed to the same account as our Concourse.\n2. It is given an integration ID and private key for two separate [Github Apps](https://developer.github.com/apps/).\n3. A team adds a CloudWatch event rule with the configuration for which repositories they need access to, and under which \norganisation. \n4. The lambda creates/rotates an access token and deploy key for each team, every 30min and 7 days respectively.\n\n### Usage\n\nAfter you have checked out the [prerequisites](#prerequisites), either download a zip from the \n[releases](https://github.com/telia-oss/concourse-github-lambda/releases), or build it yourself by \nrunning `make release` in the root of this repository. After you have a binary, you can edit \n[terraform/example.tf](./terraform/example.tf) to your liking and deploy the example by running:\n\n```bash\nterraform init\nterraform apply\n```\n\nNOTE: The `aws/secretsmanager` KMS Key Alias has to be created/exist before the lambda is deployed.\n\n### Team configuration\n\nExample configuration for a Team (which is then passed as input in the CloudWatch event rule):\n\n```json\n{\n  \"name\": \"example-team\",\n  \"repositories\": [\n    {\n      \"name\": \"concourse-github-lambda\",\n      \"owner\": \"telia-oss\",\n      \"readOnly\": \"true\"\n    }\n  ]\n}\n```\n\nWhen the function is triggered with the above input, it will create a deploy key for `telia-oss/concourse-github-lambda`,\nwrite a private key to `/concourse/example-team/concourse-github-lambda-deploy-key` and access token to \n`/concourse/example-team/telia-oss-access-token`.\n\n### Prerequisites\n\n#### Github Apps\n\n\nThis Lambda requires credentials for two separate Github Apps in order to generate deploy keys and access tokens. See the \nofficial documentation on [Creating a Github App](https://developer.github.com/apps/building-github-apps/creating-a-github-app/),\nand grant them the following permissions:\n\n- key-service (generates deploy keys): [Repository administration (`write`)](https://developer.github.com/v3/apps/permissions/#permission-on-administration)\n- token-service (generates access tokens): ... any permissions really, or no permissions if you prefer that.\n\nE.g., to make use of all the features in [github-pr-resource](https://github.com/telia-oss/github-pr-resource)), you'll need\nthe following permissions for the `token-service`:\n  - [statuses (`write`)](https://developer.github.com/v3/apps/permissions/#permission-on-statuses)\n  - [pull requests (`write`)](https://developer.github.com/v3/apps/permissions/#permission-on-pull-requests)\n  - [repository contents (`read`)](https://developer.github.com/v3/apps/permissions/#permission-on-contents)\n\nNote that we went with two Github Apps because we did not want to generate access tokens from the `key-service` app, because\nthe token would have admin access to all repositories where the app was installed, and unfortunately have not found a way\nto further scope down the privileges of the generated tokens. The compromise then is to have a 2nd github app (`token-service`) which has less dangerous permissions, which we can then use to generate the access tokens.\n\n#### Secrets\n\nThis lambda uses [aws-env](https://github.com/telia-oss/aws-env) to securely populate environment variables\nwith their values from either AWS Secrets manager, SSM Parameter store or KMS. This makes it easy to handle\ncredentials in a safe manner, and we recommend using secrets manager or SSM (over KMS) to pass the Github Apps\ncredentials to the lambda function. Below is an example of setting up the required secrets for the example,\nusing Secrets Manager:\n\n```bash\naws secretsmanager create-secret \\\n  --name /concourse-github-lambda/token-service/integration-id \\\n  --secret-string \"13024\" \\\n  --region eu-west-1\n\naws secretsmanager create-secret \\\n  --name /concourse-github-lambda/token-service/private-key \\\n  --secret-string file:///Users/someone/Downloads/concourse-github-token-service.pem \\\n  --region eu-west-1\n\naws secretsmanager create-secret \\\n  --name /concourse-github-lambda/key-service/integration-id \\\n  --secret-string \"13025\" \\\n  --region eu-west-1\n\naws secretsmanager create-secret \\\n  --name /concourse-github-lambda/key-service/private-key \\\n  --secret-string file:///Users/someone/Downloads/concourse-github-key-service.pem \\\n  --region eu-west-1\n```\n\nTo update the values, use `update-secret` and `--secret-id` instead of `create-secret` and `--name`.\nOtherwise the arguments can remain the same.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Fconcourse-github-lambda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftelia-oss%2Fconcourse-github-lambda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftelia-oss%2Fconcourse-github-lambda/lists"}