From be0f2c5f85e80d4ba919617d98dba3a660627ad5 Mon Sep 17 00:00:00 2001
From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com>
Date: Fri, 28 Mar 2025 10:55:47 +0100
Subject: [PATCH] remove sync-team aws lambda

---
 terraform/team-repo/ci.tf                     |  78 ---------
 .../lambdas/start-sync-team/index.js          |   9 -
 terraform/team-repo/sync-team.tf              | 155 ------------------
 3 files changed, 242 deletions(-)
 delete mode 100644 terraform/team-repo/lambdas/start-sync-team/index.js

diff --git a/terraform/team-repo/ci.tf b/terraform/team-repo/ci.tf
index 38c165162..da5a48621 100644
--- a/terraform/team-repo/ci.tf
+++ b/terraform/team-repo/ci.tf
@@ -6,81 +6,3 @@ module "ecr" {
   source = "../shared/modules/ecr-repo"
   name   = "sync-team"
 }
-
-// IAM role used by rust-lang/sync-team's CI to push the built images to ECR
-// and to invoke the lambda function that runs sync-team.
-
-module "ci_sync_team" {
-  source      = "../shared/modules/gha-oidc-role"
-  org         = "rust-lang"
-  repo        = "sync-team"
-  environment = "deploy"
-}
-
-// IAM role used by rust-lang/team's CI to invoke the lambda function that
-// runs sync-team.
-
-module "ci_team" {
-  source      = "../shared/modules/gha-oidc-role"
-  org         = "rust-lang"
-  repo        = "team"
-  environment = "deploy"
-}
-
-// Policies that allow the sync-team role to interact with ECR
-
-resource "aws_iam_role_policy_attachment" "ci_sync_team_pull" {
-  role       = module.ci_sync_team.role.id
-  policy_arn = module.ecr.policy_pull_arn
-}
-
-resource "aws_iam_role_policy_attachment" "ci_sync_team_push" {
-  role       = module.ci_sync_team.role.id
-  policy_arn = module.ecr.policy_push_arn
-}
-
-// Policy for interacting with the lambda function that runs sync-team through CodeBuild.
-//
-// The CI needs to call the intermediate Lambda function to start the CodeBuild
-// for security reasons, as CodeBuild's StartBuild API call allows to override
-// pretty much any build parameter, including the executed commands. That could
-// allow an attacker to (for example) leak secrets.
-
-resource "aws_iam_policy" "start_sync_team_policy" {
-  name = "start-sync-team-policy"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid      = "InvokeLambda"
-        Effect   = "Allow"
-        Action   = "lambda:InvokeFunction"
-        Resource = module.lambda_start_sync_team.arn
-      }
-    ]
-  })
-}
-
-// Attaching the invoke lambda function policy to the team and team-sync repos' roles.
-
-resource "aws_iam_role_policy_attachment" "start_sync_team_team_repo" {
-  role       = module.ci_team.role.id
-  policy_arn = aws_iam_policy.start_sync_team_policy.arn
-}
-
-resource "aws_iam_role_policy_attachment" "start_sync_team_sync_team_repo" {
-  role       = module.ci_sync_team.role.id
-  policy_arn = aws_iam_policy.start_sync_team_policy.arn
-}
-
-// The lambda function for running team-sync
-
-module "lambda_start_sync_team" {
-  source = "../shared/modules/lambda"
-
-  name       = "start-sync-team"
-  source_dir = "lambdas/start-sync-team"
-  handler    = "index.handler"
-  runtime    = "nodejs20.x"
-  role_arn   = aws_iam_role.start_execution.arn
-}
diff --git a/terraform/team-repo/lambdas/start-sync-team/index.js b/terraform/team-repo/lambdas/start-sync-team/index.js
deleted file mode 100644
index 1c38f0d98..000000000
--- a/terraform/team-repo/lambdas/start-sync-team/index.js
+++ /dev/null
@@ -1,9 +0,0 @@
-const { CodeBuildClient, StartBuildCommand } = require("@aws-sdk/client-codebuild");
-
-const client = new CodeBuildClient();
-
-exports.handler = async function(event) {
-    await client.send(new StartBuildCommand({
-        projectName: 'sync-team',
-    }));
-};
diff --git a/terraform/team-repo/sync-team.tf b/terraform/team-repo/sync-team.tf
index 4371c9896..ba6669e33 100644
--- a/terraform/team-repo/sync-team.tf
+++ b/terraform/team-repo/sync-team.tf
@@ -5,158 +5,3 @@ resource "aws_cloudwatch_log_group" "sync_team" {
   name              = "/sync-team"
   retention_in_days = 30
 }
-
-resource "aws_codebuild_project" "sync_team" {
-  name          = "sync-team"
-  description   = "Execution of rust-lang/sync-team with production credentials."
-  build_timeout = 30
-  service_role  = aws_iam_role.sync_team.arn
-
-  source {
-    type      = "NO_SOURCE"
-    buildspec = <<-EOF
-      ---
-      version: 0.2
-      phases:
-        build:
-          commands:
-            - sync-team apply
-      EOF
-  }
-
-  environment {
-    compute_type                = "BUILD_GENERAL1_SMALL"
-    type                        = "LINUX_CONTAINER"
-    image_pull_credentials_type = "SERVICE_ROLE"
-    image                       = module.ecr.url
-
-    environment_variable {
-      type  = "PARAMETER_STORE"
-      name  = "GITHUB_TOKEN"
-      value = "/prod/sync-team/github-token"
-    }
-
-    environment_variable {
-      type  = "PARAMETER_STORE"
-      name  = "MAILGUN_API_TOKEN"
-      value = "/prod/sync-team/mailgun-api-token"
-    }
-
-    environment_variable {
-      type  = "PARAMETER_STORE"
-      name  = "EMAIL_ENCRYPTION_KEY"
-      value = "/prod/sync-team/email-encryption-key"
-    }
-
-    environment_variable {
-      type  = "PARAMETER_STORE"
-      name  = "ZULIP_USERNAME"
-      value = "/prod/sync-team/zulip-username"
-    }
-
-    environment_variable {
-      type  = "PARAMETER_STORE"
-      name  = "ZULIP_API_TOKEN"
-      value = "/prod/sync-team/zulip-api-token"
-    }
-  }
-
-  logs_config {
-    cloudwatch_logs {
-      group_name = aws_cloudwatch_log_group.sync_team.name
-    }
-  }
-
-  artifacts {
-    type = "NO_ARTIFACTS"
-  }
-}
-
-// IAM Role that CodeBuild will assume when running the build. The role will
-// grant access to write the logs, read parameters and pull the ECR image.
-
-resource "aws_iam_role" "sync_team" {
-  name = "codebuild--sync-team"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = "sts:AssumeRole"
-        Principal = {
-          Service = "codebuild.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "sync_team_pull_ecr" {
-  role       = aws_iam_role.sync_team.name
-  policy_arn = module.ecr.policy_pull_arn
-}
-
-resource "aws_iam_role_policy" "sync_team" {
-  role = aws_iam_role.sync_team.name
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid    = "AllowParameterStore"
-        Effect = "Allow"
-        Action = "ssm:GetParameters"
-        Resource = [
-          "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/prod/sync-team/*"
-        ]
-      },
-      {
-        Sid    = "AllowLogs"
-        Effect = "Allow"
-        Action = [
-          "logs:PutLogEvents",
-          "logs:CreateLogStream",
-        ]
-        Resource = "${aws_cloudwatch_log_group.sync_team.arn}:*"
-      }
-    ]
-  })
-}
-
-// IAM Role that can be assumed to start the synchronization.
-
-resource "aws_iam_role" "start_execution" {
-  name = "start-sync-team"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = "sts:AssumeRole"
-        Principal = {
-          Service = [
-            "events.amazonaws.com",
-            "lambda.amazonaws.com",
-          ]
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy" "start_execution" {
-  role = aws_iam_role.start_execution.name
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid      = "AllowStartBuild"
-        Effect   = "Allow"
-        Action   = "codebuild:StartBuild"
-        Resource = aws_codebuild_project.sync_team.arn
-      }
-    ]
-  })
-}